Re: [PATCH V2 00/18] vhost-vDPA multiqueue

2021-07-11 Thread Jason Wang 



在 2021/7/6 下午4:26, Jason Wang 写道:

Hi All:

This patch implements the multiqueue support for vhost-vDPA. The most
important requirement the control virtqueue support. The virtio-net
and vhost-net core are tweak to support control virtqueue as if what
data queue pairs are done: a dedicated vhost_net device which is
coupled with the NetClientState is intrdouced so most of the existing
vhost codes could be reused with minor changes. With the control
virtqueue, vhost-vDPA are extend to support creating and destroying
multiqueue queue pairs plus the control virtqueue.

Tests are done via the vp_vdpa driver in L1 guest plus vdpa simulator
on L0.

Please reivew.



If no objection, I will queue this for 6.1.

Thanks




Changes since V1:

- validating all features that depends on ctrl vq
- typo fixes and commit log tweaks
- fix build errors because max_qps is used before it is introduced

Thanks

Jason Wang (18):
   vhost_net: remove the meaningless assignment in vhost_net_start_one()
   vhost: use unsigned int for nvqs
   vhost_net: do not assume nvqs is always 2
   vhost-vdpa: remove the unnecessary check in vhost_vdpa_add()
   vhost-vdpa: don't cleanup twice in vhost_vdpa_add()
   vhost-vdpa: fix leaking of vhost_net in vhost_vdpa_add()
   vhost-vdpa: tweak the error label in vhost_vdpa_add()
   vhost-vdpa: fix the wrong assertion in vhost_vdpa_init()
   vhost-vdpa: remove the unncessary queue_index assignment
   vhost-vdpa: open device fd in net_init_vhost_vdpa()
   vhost-vdpa: classify one time request
   vhost-vdpa: prepare for the multiqueue support
   vhost-vdpa: let net_vhost_vdpa_init() returns NetClientState *
   net: introduce control client
   vhost-net: control virtqueue support
   virito-net: use "qps" instead of "queues" when possible
   virtio-net: vhost control virtqueue support
   vhost-vdpa: multiqueue support

  hw/net/vhost_net.c |  48 +++---
  hw/net/virtio-net.c| 165 ++---
  hw/virtio/vhost-vdpa.c |  55 ++-
  include/hw/virtio/vhost-vdpa.h |   1 +
  include/hw/virtio/vhost.h  |   2 +-
  include/hw/virtio/virtio-net.h |   5 +-
  include/net/net.h  |   5 +
  include/net/vhost_net.h|   7 +-
  net/net.c  |  24 -
  net/tap.c  |   1 +
  net/vhost-user.c   |   1 +
  net/vhost-vdpa.c   | 156 ---
  12 files changed, 332 insertions(+), 138 deletions(-)

Re: [PATCH v1 2/3] hw/riscv: virt: Re-factor FDT generation

2021-07-11 Thread Anup Patel 
On Mon, Jun 14, 2021 at 5:52 PM Bin Meng  wrote:
>
> On Sun, Jun 13, 2021 at 12:12 AM Anup Patel  wrote:
> >
> > We re-factor and break the FDT generation into smaller functions
> > so that it is easier to modify FDT generation for different
> > configurations of virt machine.
> >
> > Signed-off-by: Anup Patel 
> > ---
> >  hw/riscv/virt.c | 514 ++--
> >  1 file changed, 320 insertions(+), 194 deletions(-)
> >
> > diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> > index 5eb63f6efd..977d699753 100644
> > --- a/hw/riscv/virt.c
> > +++ b/hw/riscv/virt.c
> > @@ -178,206 +178,253 @@ static void create_pcie_irq_map(void *fdt, char 
> > *nodename,
> > 0x1800, 0, 0, 0x7);
> >  }
> >
> > -static void create_fdt(RISCVVirtState *s, const MemMapEntry *memmap,
> > -   uint64_t mem_size, const char *cmdline, bool 
> > is_32_bit)
> > +static void create_fdt_socket_cpus(RISCVVirtState *s, int socket,
> > +   char *clust_name, uint32_t *phandle,
> > +   bool is_32_bit, uint32_t *intc_phandles)
> >  {
> > -void *fdt;
> > -int i, cpu, socket;
> > +int cpu;
> > +uint32_t cpu_phandle;
> >  MachineState *mc = MACHINE(s);
> > +char *name, *cpu_name, *core_name, *intc_name;
> > +
> > +for (cpu = s->soc[socket].num_harts - 1; cpu >= 0; cpu--) {
> > +cpu_phandle = (*phandle)++;
> > +
> > +cpu_name = g_strdup_printf("/cpus/cpu@%d",
> > +s->soc[socket].hartid_base + cpu);
> > +qemu_fdt_add_subnode(mc->fdt, cpu_name);
> > +qemu_fdt_setprop_string(mc->fdt, cpu_name, "mmu-type",
> > +(is_32_bit) ? "riscv,sv32" : "riscv,sv48");
> > +name = riscv_isa_string(>soc[socket].harts[cpu]);
> > +qemu_fdt_setprop_string(mc->fdt, cpu_name, "riscv,isa", name);
> > +g_free(name);
> > +qemu_fdt_setprop_string(mc->fdt, cpu_name, "compatible", "riscv");
> > +qemu_fdt_setprop_string(mc->fdt, cpu_name, "status", "okay");
> > +qemu_fdt_setprop_cell(mc->fdt, cpu_name, "reg",
> > +s->soc[socket].hartid_base + cpu);
> > +qemu_fdt_setprop_string(mc->fdt, cpu_name, "device_type", "cpu");
> > +riscv_socket_fdt_write_id(mc, mc->fdt, cpu_name, socket);
> > +qemu_fdt_setprop_cell(mc->fdt, cpu_name, "phandle", cpu_phandle);
> > +
> > +intc_phandles[cpu] = (*phandle)++;
> > +
> > +intc_name = g_strdup_printf("%s/interrupt-controller", cpu_name);
> > +qemu_fdt_add_subnode(mc->fdt, intc_name);
> > +qemu_fdt_setprop_cell(mc->fdt, intc_name, "phandle",
> > +intc_phandles[cpu]);
> > +qemu_fdt_setprop_string(mc->fdt, intc_name, "compatible",
> > +"riscv,cpu-intc");
> > +qemu_fdt_setprop(mc->fdt, intc_name, "interrupt-controller", NULL, 
> > 0);
> > +qemu_fdt_setprop_cell(mc->fdt, intc_name, "#interrupt-cells", 1);
> > +
> > +core_name = g_strdup_printf("%s/core%d", clust_name, cpu);
> > +qemu_fdt_add_subnode(mc->fdt, core_name);
> > +qemu_fdt_setprop_cell(mc->fdt, core_name, "cpu", cpu_phandle);
> > +
> > +g_free(core_name);
> > +g_free(intc_name);
> > +g_free(cpu_name);
> > +}
> > +}
> > +
> > +static void create_fdt_socket_memory(RISCVVirtState *s,
> > + const MemMapEntry *memmap, int socket)
> > +{
> > +char *mem_name;
> >  uint64_t addr, size;
> > -uint32_t *clint_cells, *plic_cells;
> > -unsigned long clint_addr, plic_addr;
> > -uint32_t plic_phandle[MAX_NODES];
> > -uint32_t cpu_phandle, intc_phandle, test_phandle;
> > -uint32_t phandle = 1, plic_mmio_phandle = 1;
> > -uint32_t plic_pcie_phandle = 1, plic_virtio_phandle = 1;
> > -char *mem_name, *cpu_name, *core_name, *intc_name;
> > -char *name, *clint_name, *plic_name, *clust_name;
> > -hwaddr flashsize = virt_memmap[VIRT_FLASH].size / 2;
> > -hwaddr flashbase = virt_memmap[VIRT_FLASH].base;
> > +MachineState *mc = MACHINE(s);
> >
> > -if (mc->dtb) {
> > -fdt = mc->fdt = load_device_tree(mc->dtb, >fdt_size);
> > -if (!fdt) {
> > -error_report("load_device_tree() failed");
> > -exit(1);
> > -}
> > -goto update_bootargs;
> > -} else {
> > -fdt = mc->fdt = create_device_tree(>fdt_size);
> > -if (!fdt) {
> > -error_report("create_device_tree() failed");
> > -exit(1);
> > -}
> > +addr = memmap[VIRT_DRAM].base + riscv_socket_mem_offset(mc, socket);
> > +size = riscv_socket_mem_size(mc, socket);
> > +mem_name = g_strdup_printf("/memory@%lx", (long)addr);
> > +qemu_fdt_add_subnode(mc->fdt, mem_name);
> > +qemu_fdt_setprop_cells(mc->fdt, mem_name, "reg",
> > +addr >> 32, addr, size >> 32, size);
> > +qemu_fdt_setprop_string(mc->fdt, mem_name,

[PATCH 0/1] block: Do not poll in bdrv_set_aio_context_ignore() when acquiring new_context

2021-07-11 Thread Zhiyong Ye 
When bdrv_set_aio_context_ignore() is called in the main loop to change
the AioContext onto the IO thread, the bdrv_drain_invoke_entry() never
gets to run and the IO thread hangs at co_schedule_bh_cb().

This is because the AioContext is occupied by the main thread after
being attached to the IO thread, and the main thread poll in
bdrv_drained_end() waiting for the IO request to be drained, but the IO
thread cannot acquire the AioContext, which leads to deadlock.

Zhiyong Ye (1):
  block: Do not poll in bdrv_set_aio_context_ignore() when acquiring new_context

 block.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

-- 
2.11.0

Re: [PATCH v1 3/3] hw/riscv: virt: Add optional ACLINT support to virt machine

2021-07-11 Thread Anup Patel 
On Mon, Jun 14, 2021 at 5:52 PM Bin Meng  wrote:
>
> On Sun, Jun 13, 2021 at 12:14 AM Anup Patel  wrote:
> >
> > We extend virt machine to emulate ACLINT devices only when "aclint=on"
> > parameter is passed along with machine name in QEMU command-line.
> >
> > Signed-off-by: Anup Patel 
> > ---
> >  hw/riscv/virt.c | 110 +++-
> >  include/hw/riscv/virt.h |   2 +
> >  2 files changed, 111 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> > index 977d699753..a35f66af13 100644
> > --- a/hw/riscv/virt.c
> > +++ b/hw/riscv/virt.c
> > @@ -50,6 +50,7 @@ static const MemMapEntry virt_memmap[] = {
> >  [VIRT_TEST] ={   0x10,0x1000 },
> >  [VIRT_RTC] = {   0x101000,0x1000 },
> >  [VIRT_CLINT] =   {  0x200,   0x1 },
> > +[VIRT_ACLINT_SSWI] = {  0x2F0,0x4000 },
>
> How about we reuse the same register space to support both CLINT and
> ACLINT? This saves some register space for future extension.

The intention of placing ACLINT SSWI separate from ACLINT MTIMER and
MSWI is to minimize PMP region usage.

When we have multiple sockets, each socket will have it's own set of
ACLINT devices so we deliberately keep ACLINT MTIMER and MSWI
devices of all sockets next to each other so that we need just 1-2 PMP
regions to cover all M-level ACLINT devices.

In general, RISC-V platform vendors will have to carefully design
memory layout of M-level devices so that M-mode runtime firmware
needs fewer PMP regions. The spare PMP regions can be used by
M-mode runtime firmware to partition the system into domains and
implement TEE.

>
> >  [VIRT_PCIE_PIO] ={  0x300,   0x1 },
> >  [VIRT_PLIC] ={  0xc00, VIRT_PLIC_SIZE(VIRT_CPUS_MAX * 2) },
> >  [VIRT_UART0] =   { 0x1000, 0x100 },
> > @@ -279,6 +280,78 @@ static void create_fdt_socket_clint(RISCVVirtState *s,
> >  g_free(clint_cells);
> >  }
> >
> > +static void create_fdt_socket_aclint(RISCVVirtState *s,
> > + const MemMapEntry *memmap, int socket,
> > + uint32_t *intc_phandles)
> > +{
> > +int cpu;
> > +char *name;
> > +unsigned long addr;
> > +uint32_t aclint_cells_size;
> > +uint32_t *aclint_mswi_cells;
> > +uint32_t *aclint_sswi_cells;
> > +uint32_t *aclint_mtimer_cells;
> > +MachineState *mc = MACHINE(s);
> > +
> > +aclint_mswi_cells = g_new0(uint32_t, s->soc[socket].num_harts * 2);
> > +aclint_mtimer_cells = g_new0(uint32_t, s->soc[socket].num_harts * 2);
> > +aclint_sswi_cells = g_new0(uint32_t, s->soc[socket].num_harts * 2);
> > +
> > +for (cpu = 0; cpu < s->soc[socket].num_harts; cpu++) {
> > +aclint_mswi_cells[cpu * 2 + 0] = cpu_to_be32(intc_phandles[cpu]);
> > +aclint_mswi_cells[cpu * 2 + 1] = cpu_to_be32(IRQ_M_SOFT);
> > +aclint_mtimer_cells[cpu * 2 + 0] = cpu_to_be32(intc_phandles[cpu]);
> > +aclint_mtimer_cells[cpu * 2 + 1] = cpu_to_be32(IRQ_M_TIMER);
> > +aclint_sswi_cells[cpu * 2 + 0] = cpu_to_be32(intc_phandles[cpu]);
> > +aclint_sswi_cells[cpu * 2 + 1] = cpu_to_be32(IRQ_S_SOFT);
> > +}
> > +aclint_cells_size = s->soc[socket].num_harts * sizeof(uint32_t) * 2;
> > +
> > +addr = memmap[VIRT_CLINT].base + (memmap[VIRT_CLINT].size * socket);
> > +name = g_strdup_printf("/soc/mswi@%lx", addr);
> > +qemu_fdt_add_subnode(mc->fdt, name);
> > +qemu_fdt_setprop_string(mc->fdt, name, "compatible", 
> > "riscv,aclint-mswi");
> > +qemu_fdt_setprop_cells(mc->fdt, name, "reg",
> > +0x0, addr, 0x0, RISCV_ACLINT_SWI_SIZE);
> > +qemu_fdt_setprop(mc->fdt, name, "interrupts-extended",
> > +aclint_mswi_cells, aclint_cells_size);
> > +qemu_fdt_setprop(mc->fdt, name, "interrupt-controller", NULL, 0);
> > +qemu_fdt_setprop_cell(mc->fdt, name, "#interrupt-cells", 0);
> > +riscv_socket_fdt_write_id(mc, mc->fdt, name, socket);
> > +g_free(name);
> > +
> > +addr = memmap[VIRT_CLINT].base + RISCV_ACLINT_SWI_SIZE +
> > +(memmap[VIRT_CLINT].size * socket);
> > +name = g_strdup_printf("/soc/mtimer@%lx", addr);
> > +qemu_fdt_add_subnode(mc->fdt, name);
> > +qemu_fdt_setprop_string(mc->fdt, name, "compatible",
> > +"riscv,aclint-mtimer");
> > +qemu_fdt_setprop_cells(mc->fdt, name, "reg",
> > +0x0, addr, 0x0, memmap[VIRT_CLINT].size - RISCV_ACLINT_SWI_SIZE);
> > +qemu_fdt_setprop(mc->fdt, name, "interrupts-extended",
> > +aclint_mtimer_cells, aclint_cells_size);
> > +riscv_socket_fdt_write_id(mc, mc->fdt, name, socket);
> > +g_free(name);
> > +
> > +addr = memmap[VIRT_ACLINT_SSWI].base +
> > +(memmap[VIRT_ACLINT_SSWI].size * socket);
> > +name = g_strdup_printf("/soc/sswi@%lx", addr);
> > +qemu_fdt_add_subnode(mc->fdt, name);
> > +qemu_fdt_setprop_string(mc->fdt, name,

[PATCH 1/1] block: Do not poll in bdrv_set_aio_context_ignore() when acquiring new_context

2021-07-11 Thread Zhiyong Ye 
When bdrv_set_aio_context_ignore() is called in the main loop to change
the AioContext onto the IO thread, the bdrv_drain_invoke_entry() never
gets to run and the IO thread hangs at co_schedule_bh_cb().

This is because the AioContext is occupied by the main thread after
being attached to the IO thread, and the main thread poll in
bdrv_drained_end() waiting for the IO request to be drained, but the IO
thread cannot acquire the AioContext, which leads to deadlock.

Just like below:

<-->
[Switching to thread 1 (Thread 0x7fd810bbef40 (LWP 533312))]
(gdb) bt
...
3  0x5601f6ea93aa in fdmon_poll_wait at ../util/fdmon-poll.c:80
4  0x5601f6e81a1c in aio_poll at ../util/aio-posix.c:607
5  0x5601f6dcde87 in bdrv_drained_end at ../block/io.c:496
6  0x5601f6d798cd in bdrv_set_aio_context_ignore at ../block.c:6502
7  0x5601f6d7996c in bdrv_set_aio_context_ignore at ../block.c:6472
8  0x5601f6d79cb8 in bdrv_child_try_set_aio_context at ../block.c:6587
9  0x5601f6da86f2 in blk_do_set_aio_context at ../block/block-backend.c:2026
10 0x5601f6daa96d in blk_set_aio_context at ../block/block-backend.c:2047
11 0x5601f6c71883 in virtio_scsi_hotplug at ../hw/scsi/virtio-scsi.c:831
...

[Switching to thread 4 (Thread 0x7fd8092e7700 (LWP 533315))]
(gdb) bt
...
4  0x5601f6eab6a8 in qemu_mutex_lock_impl at ../util/qemu-thread-posix.c:79
5  0x5601f6e7ce88 in co_schedule_bh_cb at ../util/async.c:489
6  0x5601f6e7c404 in aio_bh_poll at ../util/async.c:164
7  0x5601f6e81a46 in aio_poll at ../util/aio-posix.c:659
8  0x5601f6d5ccf3 in iothread_run at ../iothread.c:73
9  0x5601f6eab512 in qemu_thread_start at ../util/qemu-thread-posix.c:521
10 0x7fd80d7b84a4 in start_thread at pthread_create.c:456
11 0x7fd80d4fad0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97
(gdb) f 4
4  0x5601f6eab6a8 in qemu_mutex_lock_impl at ../util/qemu-thread-posix.c:79
(gdb) p *mutex
$2 = {lock = {__data = {__lock = 2, __count = 1, __owner = 533312, __nusers = 1,
  __kind = 1, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 
0x0}},
  __size = "\002\000\000\000\001\000\000\000@#\b\000\001\000\000\000\001",
  '\000' , __align = 4294967298}, initialized = true}
<-->

Therefore, we should never poll anywhere in
bdrv_set_aio_context_ignore() when acquiring the new context. In fact,
commit e037c09c has also already elaborated on why we can't poll at
bdrv_do_drained_end().

Signed-off-by: Zhiyong Ye 
---
 block.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block.c b/block.c
index be083f389e..ebbea72d64 100644
--- a/block.c
+++ b/block.c
@@ -6846,6 +6846,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 GSList *parents_to_process = NULL;
 GSList *entry;
 BdrvChild *child, *parent;
+int drained_end_counter = 0;
 
 g_assert(qemu_get_current_aio_context() == qemu_get_aio_context());
 
@@ -6907,7 +6908,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 aio_context_release(old_context);
 }
 
-bdrv_drained_end(bs);
+bdrv_drained_end_no_poll(bs, _end_counter);
 
 if (qemu_get_aio_context() != old_context) {
 aio_context_acquire(old_context);
@@ -6915,6 +6916,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 if (qemu_get_aio_context() != new_context) {
 aio_context_release(new_context);
 }
+BDRV_POLL_WHILE(bs, qatomic_read(_end_counter) > 0);
 }
 
 static bool bdrv_parent_can_set_aio_context(BdrvChild *c, AioContext *ctx,
-- 
2.11.0

Re: [PATCH v1 1/3] hw/intc: Upgrade the SiFive CLINT implementation to RISC-V ACLINT

2021-07-11 Thread Anup Patel 
On Fri, Jun 18, 2021 at 12:20 PM Alistair Francis  wrote:
>
> On Sun, Jun 13, 2021 at 2:09 AM Anup Patel  wrote:
> >
> > The RISC-V ACLINT is more modular and backward compatible with
> > original SiFive CLINT so instead of duplicating the orignal
> > SiFive CLINT implementation we upgrade the current SiFive CLINT
> > implementation to RISC-V ACLINT implementation.
> >
> > Signed-off-by: Anup Patel 
> > ---
> >  hw/intc/Kconfig|   2 +-
> >  hw/intc/meson.build|   2 +-
> >  hw/intc/riscv_aclint.c | 374 +
> >  hw/intc/sifive_clint.c | 266 ---
> >  hw/riscv/Kconfig   |  10 +-
> >  hw/riscv/microchip_pfsoc.c |  12 +-
> >  hw/riscv/sifive_e.c|  12 +-
> >  hw/riscv/sifive_u.c|  14 +-
> >  hw/riscv/spike.c   |  15 +-
> >  hw/riscv/virt.c|  15 +-
> >  include/hw/intc/riscv_aclint.h |  73 +++
> >  include/hw/intc/sifive_clint.h |  60 --
> >  12 files changed, 494 insertions(+), 361 deletions(-)
> >  create mode 100644 hw/intc/riscv_aclint.c
> >  delete mode 100644 hw/intc/sifive_clint.c
> >  create mode 100644 include/hw/intc/riscv_aclint.h
> >  delete mode 100644 include/hw/intc/sifive_clint.h
>
> Could we split this patch into 2? One to rename the file and a second
> to add the new implementation? Otherwise there might be a git config
> to change file rename detection as this is hard to see the changes.

Sure, I will split this patch into two patches.

>
> >
> > diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
> > index f4694088a4..78aed93c45 100644
> > --- a/hw/intc/Kconfig
> > +++ b/hw/intc/Kconfig
> > @@ -62,7 +62,7 @@ config RX_ICU
> >  config LOONGSON_LIOINTC
> >  bool
> >
> > -config SIFIVE_CLINT
> > +config RISCV_ACLINT
> >  bool
> >
> >  config SIFIVE_PLIC
> > diff --git a/hw/intc/meson.build b/hw/intc/meson.build
> > index 1c299039f6..2482fcfaf8 100644
> > --- a/hw/intc/meson.build
> > +++ b/hw/intc/meson.build
> > @@ -48,7 +48,7 @@ specific_ss.add(when: 'CONFIG_RX_ICU', if_true: 
> > files('rx_icu.c'))
> >  specific_ss.add(when: 'CONFIG_S390_FLIC', if_true: files('s390_flic.c'))
> >  specific_ss.add(when: 'CONFIG_S390_FLIC_KVM', if_true: 
> > files('s390_flic_kvm.c'))
> >  specific_ss.add(when: 'CONFIG_SH_INTC', if_true: files('sh_intc.c'))
> > -specific_ss.add(when: 'CONFIG_SIFIVE_CLINT', if_true: 
> > files('sifive_clint.c'))
> > +specific_ss.add(when: 'CONFIG_RISCV_ACLINT', if_true: 
> > files('riscv_aclint.c'))
> >  specific_ss.add(when: 'CONFIG_SIFIVE_PLIC', if_true: 
> > files('sifive_plic.c'))
> >  specific_ss.add(when: 'CONFIG_XICS', if_true: files('xics.c'))
> >  specific_ss.add(when: ['CONFIG_KVM', 'CONFIG_XICS'],
> > diff --git a/hw/intc/riscv_aclint.c b/hw/intc/riscv_aclint.c
> > new file mode 100644
> > index 00..682f95cca7
> > --- /dev/null
> > +++ b/hw/intc/riscv_aclint.c
> > @@ -0,0 +1,374 @@
> > +/*
> > + * RISC-V ACLINT (Advanced Core Local Interruptor)
> > + *
> > + * Copyright (c) 2016-2017 Sagar Karandikar, sag...@eecs.berkeley.edu
> > + * Copyright (c) 2017 SiFive, Inc.
> > + * Copyright (c) 2021 Western Digital Corporation or its affiliates.
> > + *
> > + * This provides real-time clock, timer and interprocessor interrupts.
> > + *
> > + * This program is free software; you can redistribute it and/or modify it
> > + * under the terms and conditions of the GNU General Public License,
> > + * version 2 or later, as published by the Free Software Foundation.
> > + *
> > + * This program is distributed in the hope it will be useful, but WITHOUT
> > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> > + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License 
> > for
> > + * more details.
> > + *
> > + * You should have received a copy of the GNU General Public License along 
> > with
> > + * this program.  If not, see .
> > + */
> > +
> > +#include "qemu/osdep.h"
> > +#include "qapi/error.h"
> > +#include "qemu/error-report.h"
> > +#include "qemu/module.h"
> > +#include "hw/sysbus.h"
> > +#include "target/riscv/cpu.h"
> > +#include "hw/qdev-properties.h"
> > +#include "hw/intc/riscv_aclint.h"
> > +#include "qemu/timer.h"
> > +
> > +static uint64_t cpu_riscv_read_rtc(uint32_t timebase_freq)
> > +{
> > +return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
> > +timebase_freq, NANOSECONDS_PER_SECOND);
> > +}
> > +
> > +/*
> > + * Called when timecmp is written to update the QEMU timer or immediately
> > + * trigger timer interrupt if mtimecmp <= current timer value.
> > + */
> > +static void riscv_aclint_mtimer_write_timecmp(RISCVCPU *cpu, uint64_t 
> > value,
> > +uint32_t timebase_freq)
> > +{
> > +uint64_t next;
> > +uint64_t diff;
> > +
> > +uint64_t rtc_r = cpu_riscv_read_rtc(timebase_freq);
> > +
> > +cpu->env.timecmp = value;
> > +if (cpu->env.timecmp <= rtc_r) {
> > +/* if we're

[PATCH] block: Do not poll in bdrv_set_aio_context_ignore() when acquiring new_context

2021-07-11 Thread Zhiyong Ye 
When bdrv_set_aio_context_ignore() is called in the main loop to change
the AioContext onto the IO thread, the bdrv_drain_invoke_entry() never
gets to run and the IO thread hangs at co_schedule_bh_cb().

This is because the AioContext is occupied by the main thread after
being attached to the IO thread, and the main thread poll in
bdrv_drained_end() waiting for the IO request to be drained, but the IO
thread cannot acquire the AioContext, which leads to deadlock.

Just like below:

<-->
[Switching to thread 1 (Thread 0x7fd810bbef40 (LWP 533312))]
(gdb) bt
...
3  0x5601f6ea93aa in fdmon_poll_wait at ../util/fdmon-poll.c:80
4  0x5601f6e81a1c in aio_poll at ../util/aio-posix.c:607
5  0x5601f6dcde87 in bdrv_drained_end at ../block/io.c:496
6  0x5601f6d798cd in bdrv_set_aio_context_ignore at ../block.c:6502
7  0x5601f6d7996c in bdrv_set_aio_context_ignore at ../block.c:6472
8  0x5601f6d79cb8 in bdrv_child_try_set_aio_context at ../block.c:6587
9  0x5601f6da86f2 in blk_do_set_aio_context at ../block/block-backend.c:2026
10 0x5601f6daa96d in blk_set_aio_context at ../block/block-backend.c:2047
11 0x5601f6c71883 in virtio_scsi_hotplug at ../hw/scsi/virtio-scsi.c:831
...

[Switching to thread 4 (Thread 0x7fd8092e7700 (LWP 533315))]
(gdb) bt
...
4  0x5601f6eab6a8 in qemu_mutex_lock_impl at ../util/qemu-thread-posix.c:79
5  0x5601f6e7ce88 in co_schedule_bh_cb at ../util/async.c:489
6  0x5601f6e7c404 in aio_bh_poll at ../util/async.c:164
7  0x5601f6e81a46 in aio_poll at ../util/aio-posix.c:659
8  0x5601f6d5ccf3 in iothread_run at ../iothread.c:73
9  0x5601f6eab512 in qemu_thread_start at ../util/qemu-thread-posix.c:521
10 0x7fd80d7b84a4 in start_thread at pthread_create.c:456
11 0x7fd80d4fad0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97
(gdb) f 4
4  0x5601f6eab6a8 in qemu_mutex_lock_impl at ../util/qemu-thread-posix.c:79
(gdb) p *mutex
$2 = {lock = {__data = {__lock = 2, __count = 1, __owner = 533312, __nusers = 1,
  __kind = 1, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 
0x0}},
  __size = "\002\000\000\000\001\000\000\000@#\b\000\001\000\000\000\001",
  '\000' , __align = 4294967298}, initialized = true}
<-->

Therefore, we should never poll anywhere in
bdrv_set_aio_context_ignore() when acquiring the new context. In fact,
commit e037c09c has also already elaborated on why we can't poll at
bdrv_do_drained_end().

Signed-off-by: Zhiyong Ye 
---
 block.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block.c b/block.c
index be083f389e..ebbea72d64 100644
--- a/block.c
+++ b/block.c
@@ -6846,6 +6846,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 GSList *parents_to_process = NULL;
 GSList *entry;
 BdrvChild *child, *parent;
+int drained_end_counter = 0;
 
 g_assert(qemu_get_current_aio_context() == qemu_get_aio_context());
 
@@ -6907,7 +6908,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 aio_context_release(old_context);
 }
 
-bdrv_drained_end(bs);
+bdrv_drained_end_no_poll(bs, _end_counter);
 
 if (qemu_get_aio_context() != old_context) {
 aio_context_acquire(old_context);
@@ -6915,6 +6916,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 if (qemu_get_aio_context() != new_context) {
 aio_context_release(new_context);
 }
+BDRV_POLL_WHILE(bs, qatomic_read(_end_counter) > 0);
 }
 
 static bool bdrv_parent_can_set_aio_context(BdrvChild *c, AioContext *ctx,
-- 
2.11.0

[PATCH] block: Do not poll in bdrv_set_aio_context_ignore() when acquiring new_context

2021-07-11 Thread Zhiyong Ye 
When bdrv_set_aio_context_ignore() is called in the main loop to change
the AioContext onto the IO thread, the bdrv_drain_invoke_entry() never
gets to run and the IO thread hangs at co_schedule_bh_cb().

This is because the AioContext is occupied by the main thread after
being attached to the IO thread, and the main thread poll in
bdrv_drained_end() waiting for the IO request to be drained, but the IO
thread cannot acquire the AioContext, which leads to deadlock.

Just like below:

<-->
[Switching to thread 1 (Thread 0x7fd810bbef40 (LWP 533312))]
(gdb) bt
...
3  0x5601f6ea93aa in fdmon_poll_wait at ../util/fdmon-poll.c:80
4  0x5601f6e81a1c in aio_poll at ../util/aio-posix.c:607
5  0x5601f6dcde87 in bdrv_drained_end at ../block/io.c:496
6  0x5601f6d798cd in bdrv_set_aio_context_ignore at ../block.c:6502
7  0x5601f6d7996c in bdrv_set_aio_context_ignore at ../block.c:6472
8  0x5601f6d79cb8 in bdrv_child_try_set_aio_context at ../block.c:6587
9  0x5601f6da86f2 in blk_do_set_aio_context at ../block/block-backend.c:2026
10 0x5601f6daa96d in blk_set_aio_context at ../block/block-backend.c:2047
11 0x5601f6c71883 in virtio_scsi_hotplug at ../hw/scsi/virtio-scsi.c:831
...

[Switching to thread 4 (Thread 0x7fd8092e7700 (LWP 533315))]
(gdb) bt
...
4  0x5601f6eab6a8 in qemu_mutex_lock_impl at ../util/qemu-thread-posix.c:79
5  0x5601f6e7ce88 in co_schedule_bh_cb at ../util/async.c:489
6  0x5601f6e7c404 in aio_bh_poll at ../util/async.c:164
7  0x5601f6e81a46 in aio_poll at ../util/aio-posix.c:659
8  0x5601f6d5ccf3 in iothread_run at ../iothread.c:73
9  0x5601f6eab512 in qemu_thread_start at ../util/qemu-thread-posix.c:521
10 0x7fd80d7b84a4 in start_thread at pthread_create.c:456
11 0x7fd80d4fad0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97
(gdb) f 4
4  0x5601f6eab6a8 in qemu_mutex_lock_impl at ../util/qemu-thread-posix.c:79
(gdb) p *mutex
$2 = {lock = {__data = {__lock = 2, __count = 1, __owner = 533312, __nusers = 1,
  __kind = 1, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 
0x0}},
  __size = "\002\000\000\000\001\000\000\000@#\b\000\001\000\000\000\001",
  '\000' , __align = 4294967298}, initialized = true}
<-->

Therefore, we should never poll anywhere in
bdrv_set_aio_context_ignore() when acquiring the new context. In fact,
commit e037c09c has also already elaborated on why we can't poll at
bdrv_do_drained_end().

Signed-off-by: Zhiyong Ye 
---
 block.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block.c b/block.c
index be083f389e..ebbea72d64 100644
--- a/block.c
+++ b/block.c
@@ -6846,6 +6846,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 GSList *parents_to_process = NULL;
 GSList *entry;
 BdrvChild *child, *parent;
+int drained_end_counter = 0;
 
 g_assert(qemu_get_current_aio_context() == qemu_get_aio_context());
 
@@ -6907,7 +6908,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 aio_context_release(old_context);
 }
 
-bdrv_drained_end(bs);
+bdrv_drained_end_no_poll(bs, _end_counter);
 
 if (qemu_get_aio_context() != old_context) {
 aio_context_acquire(old_context);
@@ -6915,6 +6916,7 @@ void bdrv_set_aio_context_ignore(BlockDriverState *bs,
 if (qemu_get_aio_context() != new_context) {
 aio_context_release(new_context);
 }
+BDRV_POLL_WHILE(bs, qatomic_read(_end_counter) > 0);
 }
 
 static bool bdrv_parent_can_set_aio_context(BdrvChild *c, AioContext *ctx,
-- 
2.11.0

Re: [PATCH v2 3/3] hw/riscv: opentitan: Add the flash alias

2021-07-11 Thread Alistair Francis 
On Fri, Jul 9, 2021 at 10:21 PM Bin Meng  wrote:
>
> On Fri, Jul 9, 2021 at 11:38 AM Alistair Francis
>  wrote:
> >
> > OpenTitan has an alias of flash avaliable which is called virtual flash.
>
> typo: available
>
> > Add support for that in the QEMU model.
> >
> > Signed-off-by: Alistair Francis 
> > ---
> >  include/hw/riscv/opentitan.h | 2 ++
> >  hw/riscv/opentitan.c | 6 ++
> >  2 files changed, 8 insertions(+)
> >
>
> Reviewed-by: Bin Meng 

Thanks!

Applied to riscv-to-apply.next

Alistair

Re: [PATCH v1 1/3] hw/intc: Upgrade the SiFive CLINT implementation to RISC-V ACLINT

2021-07-11 Thread Anup Patel 
On Mon, Jun 14, 2021 at 5:52 PM Bin Meng  wrote:
>
> On Sun, Jun 13, 2021 at 12:08 AM Anup Patel  wrote:
> >
> > The RISC-V ACLINT is more modular and backward compatible with
> > original SiFive CLINT so instead of duplicating the orignal
> > SiFive CLINT implementation we upgrade the current SiFive CLINT
> > implementation to RISC-V ACLINT implementation.
> >
> > Signed-off-by: Anup Patel 
> > ---
> >  hw/intc/Kconfig|   2 +-
> >  hw/intc/meson.build|   2 +-
> >  hw/intc/riscv_aclint.c | 374 +
> >  hw/intc/sifive_clint.c | 266 ---
> >  hw/riscv/Kconfig   |  10 +-
> >  hw/riscv/microchip_pfsoc.c |  12 +-
> >  hw/riscv/sifive_e.c|  12 +-
> >  hw/riscv/sifive_u.c|  14 +-
> >  hw/riscv/spike.c   |  15 +-
> >  hw/riscv/virt.c|  15 +-
> >  include/hw/intc/riscv_aclint.h |  73 +++
> >  include/hw/intc/sifive_clint.h |  60 --
> >  12 files changed, 494 insertions(+), 361 deletions(-)
> >  create mode 100644 hw/intc/riscv_aclint.c
> >  delete mode 100644 hw/intc/sifive_clint.c
> >  create mode 100644 include/hw/intc/riscv_aclint.h
> >  delete mode 100644 include/hw/intc/sifive_clint.h
> >
> > diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
> > index f4694088a4..78aed93c45 100644
> > --- a/hw/intc/Kconfig
> > +++ b/hw/intc/Kconfig
> > @@ -62,7 +62,7 @@ config RX_ICU
> >  config LOONGSON_LIOINTC
> >  bool
> >
> > -config SIFIVE_CLINT
> > +config RISCV_ACLINT
> >  bool
> >
> >  config SIFIVE_PLIC
> > diff --git a/hw/intc/meson.build b/hw/intc/meson.build
> > index 1c299039f6..2482fcfaf8 100644
> > --- a/hw/intc/meson.build
> > +++ b/hw/intc/meson.build
> > @@ -48,7 +48,7 @@ specific_ss.add(when: 'CONFIG_RX_ICU', if_true: 
> > files('rx_icu.c'))
> >  specific_ss.add(when: 'CONFIG_S390_FLIC', if_true: files('s390_flic.c'))
> >  specific_ss.add(when: 'CONFIG_S390_FLIC_KVM', if_true: 
> > files('s390_flic_kvm.c'))
> >  specific_ss.add(when: 'CONFIG_SH_INTC', if_true: files('sh_intc.c'))
> > -specific_ss.add(when: 'CONFIG_SIFIVE_CLINT', if_true: 
> > files('sifive_clint.c'))
> > +specific_ss.add(when: 'CONFIG_RISCV_ACLINT', if_true: 
> > files('riscv_aclint.c'))
> >  specific_ss.add(when: 'CONFIG_SIFIVE_PLIC', if_true: 
> > files('sifive_plic.c'))
> >  specific_ss.add(when: 'CONFIG_XICS', if_true: files('xics.c'))
> >  specific_ss.add(when: ['CONFIG_KVM', 'CONFIG_XICS'],
> > diff --git a/hw/intc/riscv_aclint.c b/hw/intc/riscv_aclint.c
> > new file mode 100644
> > index 00..682f95cca7
> > --- /dev/null
> > +++ b/hw/intc/riscv_aclint.c
> > @@ -0,0 +1,374 @@
> > +/*
> > + * RISC-V ACLINT (Advanced Core Local Interruptor)
> > + *
> > + * Copyright (c) 2016-2017 Sagar Karandikar, sag...@eecs.berkeley.edu
> > + * Copyright (c) 2017 SiFive, Inc.
> > + * Copyright (c) 2021 Western Digital Corporation or its affiliates.
> > + *
> > + * This provides real-time clock, timer and interprocessor interrupts.
> > + *
> > + * This program is free software; you can redistribute it and/or modify it
> > + * under the terms and conditions of the GNU General Public License,
> > + * version 2 or later, as published by the Free Software Foundation.
> > + *
> > + * This program is distributed in the hope it will be useful, but WITHOUT
> > + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> > + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License 
> > for
> > + * more details.
> > + *
> > + * You should have received a copy of the GNU General Public License along 
> > with
> > + * this program.  If not, see .
> > + */
> > +
> > +#include "qemu/osdep.h"
> > +#include "qapi/error.h"
> > +#include "qemu/error-report.h"
> > +#include "qemu/module.h"
> > +#include "hw/sysbus.h"
> > +#include "target/riscv/cpu.h"
> > +#include "hw/qdev-properties.h"
> > +#include "hw/intc/riscv_aclint.h"
> > +#include "qemu/timer.h"
> > +
> > +static uint64_t cpu_riscv_read_rtc(uint32_t timebase_freq)
> > +{
> > +return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
> > +timebase_freq, NANOSECONDS_PER_SECOND);
> > +}
> > +
> > +/*
> > + * Called when timecmp is written to update the QEMU timer or immediately
> > + * trigger timer interrupt if mtimecmp <= current timer value.
> > + */
> > +static void riscv_aclint_mtimer_write_timecmp(RISCVCPU *cpu, uint64_t 
> > value,
> > +uint32_t timebase_freq)
> > +{
> > +uint64_t next;
> > +uint64_t diff;
> > +
> > +uint64_t rtc_r = cpu_riscv_read_rtc(timebase_freq);
> > +
> > +cpu->env.timecmp = value;
> > +if (cpu->env.timecmp <= rtc_r) {
> > +/* if we're setting an MTIMECMP value in the "past",
> > +   immediately raise the timer interrupt */
>
> nits: please use correct multi-line comment format

Okay, will update.

>
> > +riscv_cpu_update_mip(cpu, MIP_MTIP, BOOL_TO_MASK(1));
> > +return;
> > +}
> >

Re: [PATCH v1 2/5] hw/intc: sifive_clint: Use RISC-V CPU GPIO lines

2021-07-11 Thread Alistair Francis 
On Sat, Jul 10, 2021 at 1:36 AM Richard Henderson
 wrote:
>
> On 7/8/21 8:30 PM, Alistair Francis wrote:
> > +typedef struct sifive_clint_callback {
> > +SiFiveCLINTState *s;
> > +int num;
> > +} sifive_clint_callback;
>
> Perhaps better to put "num", perhaps with a more descriptive name (hartid?), 
> into
> SiFiveCLINTState itself?

The problem is that there is a single SiFiveCLINTState because there
is a single CLINT, but we want to have a timer callback for each CPU
so we need something here that is per CPU.

>
> It would avoid some amount of double-indirection, and some awkward memory 
> allocation in
> sifive_clint_create.
>
>
> >   } else if ((addr & 0x3) == 0) {
> > -riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_MSIP, 
> > BOOL_TO_MASK(value));
> > +if (value) {
> > +qemu_irq_raise(clint->soft_irqs[hartid]);
> > +} else {
> > +qemu_irq_lower(clint->soft_irqs[hartid]);
> > +}
>
> You should use qemu_irq_set here.

Will do!

Alistair

>
>
> r~

[Bug 1910696] Re: Qemu fails to start with error " There is no option group 'spice'"

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910696

Title:
  Qemu fails to start with error " There is no option group 'spice'"

Status in QEMU:
  Expired

Bug description:
  After upgrade from 5.1.0 to 5.2.0, qemu fails on start with error:
  `
  /usr/bin/qemu-system-x86_64 -S -name trinti -uuid 
f8ad2ff6-8808-4f42-8f0b-9e23acd20f84 -daemonize -cpu host -nographic -serial 
chardev:console -nodefaults -no-reboot -no-user-config -sandbox 
on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny 
-readconfig /var/log/lxd/trinti/qemu.conf -pidfile /var/log/lxd/trinti/qemu.pid 
-D /var/log/lxd/trinti/qemu.log -chroot /var/lib/lxd/virtual-machines/trinti 
-smbios type=2,manufacturer=Canonical Ltd.,product=LXD -runas nobody: 
  qemu-system-x86_64:/var/log/lxd/trinti/qemu.conf:27: There is no option group 
'spice'
  qemu-system-x86_64: -readconfig /var/log/lxd/trinti/qemu.conf: read config 
/var/log/lxd/trinti/qemu.conf: Invalid argument
  `
  Bisected to first bad commit: 
https://github.com/qemu/qemu/commit/cbe5fa11789035c43fd2108ac6f45848954954b5

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910696/+subscriptions

[Bug 1907969] Re: linux-user/i386: Segfault when mixing threads and signals

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907969

Title:
  linux-user/i386: Segfault when mixing threads and signals

Status in QEMU:
  Expired

Bug description:
  Given the following C program, qemu-i386 will surely and certainly segfault 
when executing it.
  The problem is only noticeable if the program is statically linked to musl's 
libc and, as written
  in the title, it only manifests when targeting i386.

  Removing the pthread calls or the second raise() makes it not
  segfault.

  The crash is in some part of the TCG-generated code, right when it tries to 
perform a
  %gs-relative access.

  If you want a quick way of cross-compiling this binary:

  * Download a copy of the Zig compiler from https://ziglang.org/download/
  * Compile it with
`zig cc -target i386-linux-musl  -o `

  ```
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  void sig_func(int sig)
  {
  write(1, "hi!\n", strlen("hi!\n"));
  }

  void func(void *p) { }

  typedef void *(*F)(void *);

  int main()
  {
  pthread_t tid;

  struct sigaction action;
  action.sa_flags = 0;
  action.sa_handler = sig_func;

  if (sigaction(SIGUSR1, , NULL) == -1) {
  return 1;
  }

  // This works.
  raise(SIGUSR1);

  pthread_create(, NULL, (F)func, NULL);
  pthread_join(tid, NULL);

  // This makes qemu segfault.
  raise(SIGUSR1);
  }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907969/+subscriptions

[Bug 1908781] Re: x86-64 not faulting when CS.L = 1 and CS.D = 1

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908781

Title:
  x86-64 not faulting when CS.L = 1 and CS.D = 1

Status in QEMU:
  Expired

Bug description:
  In a UEFI application I accidentally created a code segment descriptor
  where both the L and D bits were 1. This is supposed to generate a GP
  fault (e.g. see page 2942 of
  https://software.intel.com/sites/default/files/managed/39/c5/325462
  -sdm-vol-1-2abcd-3abcd.pdf). When running with KVM a fault did indeed
  occur, but when not specifying any acceleration, no fault occurred.

  Let me know if you need me to develop a minimum example to debug from.
  At the moment it's all part of a slightly more complicated bit of
  code.

  Version: 5.2.0 (compiled from source)
  Command line options: -smp cores=4 -m 8192 (plus whatever uefi-run adds to 
plug in OVMF and my UEFI application).
  Environment: Ubuntu 20.04 on Ryzen 3700X

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908781/+subscriptions

[Bug 1910605] Re: qemu-arm-static ioctl USBDEVFS_BULK return -1 (EFAULT) Bad address

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910605

Title:
  qemu-arm-static ioctl USBDEVFS_BULK return -1 (EFAULT) Bad address

Status in QEMU:
  Expired

Bug description:

  Snippet of code sample:

  struct usbdevfs_bulktransfer Bulk;
  Bulk.ep = hUsb->UsbOut;  
  Bulk.len = Len;  
  Bulk.data = (void *)pData;  
  Bulk.timeout = Timeout;
  Bytes = ioctl(hUsb->fd, USBDEVFS_BULK, )

  The above code sample return -1 (EFAULT) Bad address when using qemu-
  arm-static but is running ok when on qemu-aarch64-static.

  I use a 64-bit intel laptop

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910605/+subscriptions

[Bug 1912170] Re: NUMA nodes created with memory-backend-ram shows size different than requested

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1912170

Title:
  NUMA nodes created with memory-backend-ram shows size different than
  requested

Status in QEMU:
  Expired

Bug description:
  I created system with 7 NUMA nodes where nodes 0-3 should have 268435456 
bytes size and nodes 4-6 exactly 1610612736 bytes size, but when I run "numactl 
-H" I got different (smaller) sizes.
  It is essential for me to be able to emulate a system with nodes of exact 
size - is it possible?

  QEMU version:

  QEMU emulator version 5.1.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers

  QEMU command:

  qemu-system-x86_64 -hda qemu-image/ubuntu-1804.img -enable-kvm -cpu
  Cascadelake-Server -vnc :5 -netdev user,id=net0,hostfwd=tcp::10022-:22
  -device virtio-net,netdev=net0 -boot c -m 5632.0M -object memory-
  backend-ram,id=ram-node0,size=268435456 -numa
  node,nodeid=0,cpus=0-3,memdev=ram-node0 -object memory-backend-ram,id
  =ram-node1,size=268435456 -numa node,nodeid=1,cpus=4-7,memdev=ram-
  node1 -object memory-backend-ram,id=ram-node2,size=268435456 -numa
  node,nodeid=2,cpus=8-11,memdev=ram-node2 -object memory-backend-ram,id
  =ram-node3,size=268435456 -numa node,nodeid=3,cpus=12-15,memdev=ram-
  node3 -object memory-backend-ram,id=ram-node4,size=1610612736 -numa
  node,nodeid=4,memdev=ram-node4 -object memory-backend-ram,id=ram-
  node5,size=1610612736 -numa node,nodeid=5,memdev=ram-node5 -object
  memory-backend-ram,id=ram-node6,size=1610612736 -numa
  node,nodeid=6,memdev=ram-node6 -numa dist,src=0,dst=0,val=10 -numa
  dist,src=0,dst=1,val=21 -numa dist,src=0,dst=2,val=31 -numa
  dist,src=0,dst=3,val=21 -numa dist,src=0,dst=4,val=17 -numa
  dist,src=0,dst=5,val=38 -numa dist,src=0,dst=6,val=28 -numa
  dist,src=1,dst=0,val=21 -numa dist,src=1,dst=1,val=10 -numa
  dist,src=1,dst=2,val=21 -numa dist,src=1,dst=3,val=31 -numa
  dist,src=1,dst=4,val=28 -numa dist,src=1,dst=5,val=17 -numa
  dist,src=1,dst=6,val=38 -numa dist,src=2,dst=0,val=31 -numa
  dist,src=2,dst=1,val=21 -numa dist,src=2,dst=2,val=10 -numa
  dist,src=2,dst=3,val=21 -numa dist,src=2,dst=4,val=28 -numa
  dist,src=2,dst=5,val=28 -numa dist,src=2,dst=6,val=28 -numa
  dist,src=3,dst=0,val=21 -numa dist,src=3,dst=1,val=31 -numa
  dist,src=3,dst=2,val=21 -numa dist,src=3,dst=3,val=10 -numa
  dist,src=3,dst=4,val=28 -numa dist,src=3,dst=5,val=28 -numa
  dist,src=3,dst=6,val=17 -numa dist,src=4,dst=0,val=17 -numa
  dist,src=4,dst=1,val=28 -numa dist,src=4,dst=2,val=28 -numa
  dist,src=4,dst=3,val=28 -numa dist,src=4,dst=4,val=10 -numa
  dist,src=4,dst=5,val=28 -numa dist,src=4,dst=6,val=28 -numa
  dist,src=5,dst=0,val=38 -numa dist,src=5,dst=1,val=17 -numa
  dist,src=5,dst=2,val=28 -numa dist,src=5,dst=3,val=28 -numa
  dist,src=5,dst=4,val=28 -numa dist,src=5,dst=5,val=10 -numa
  dist,src=5,dst=6,val=28 -numa dist,src=6,dst=0,val=38 -numa
  dist,src=6,dst=1,val=28 -numa dist,src=6,dst=2,val=28 -numa
  dist,src=6,dst=3,val=17 -numa dist,src=6,dst=4,val=28 -numa
  dist,src=6,dst=5,val=28 -numa dist,src=6,dst=6,val=10  -smp
  16,sockets=4,dies=1,cores=4,threads=1  -fsdev
  local,security_model=passthrough,id=fsdev0,path=/home/mysuser/share
  -device virtio-9p-pci,id=fs0,fsdev=fsdev0,mount_tag=share_host
  -daemonize

  output from numactl -H:

  $ numactl -H
  available: 7 nodes (0-6)
  node 0 cpus: 0 1 2 3
  node 0 size: 250 MB
  node 0 free: 191 MB
  node 1 cpus: 4 5 6 7
  node 1 size: 251 MB
  node 1 free: 199 MB
  node 2 cpus: 8 9 10 11
  node 2 size: 251 MB
  node 2 free: 218 MB
  node 3 cpus: 12 13 14 15
  node 3 size: 251 MB
  node 3 free: 118 MB
  node 4 cpus:
  node 4 size: 1511 MB
  node 4 free: 1507 MB
  node 5 cpus:
  node 5 size: 1447 MB
  node 5 free: 1443 MB
  node 6 cpus:
  node 6 size: 1489 MB
  node 6 free: 1484 MB
  node distances:
  node   0   1   2   3   4   5   6
0:  10  21  31  21  17  38  28
1:  21  10  21  31  28  17  38
2:  31  21  10  21  28  28  28
3:  21  31  21  10  28  28  17
4:  17  28  28  28  10  28  28
5:  38  17  28  28  28  10  28
6:  38  28  28  17  28  28  10

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1912170/+subscriptions

[Bug 1911188] Re: qemu-system-x86_64 prints obscure error message and exits when encountering an empty argument

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911188

Title:
  qemu-system-x86_64 prints obscure error message and exits when
  encountering an empty argument

Status in QEMU:
  Expired

Bug description:
  QEMU emulator version 4.2.1 (qemu-4.2.1-1.fc32) on Fedora 32.

  When writing a script to start qemu automatically, I ran into a very
  confusing error message due to a bug in my script and had trouble
  understanding it. I isolated the problem to the following:

  $ qemu-system-x86_64 ""
  qemu-system-x86_64: Initialization of device ide-hd failed: Device needs 
media, but drive is empty

  As you can see, running qemu with an empty argument prints a seemingly
  random and unrelated error message about an ide-hd device, and the
  program immediately exits with code 1. This happens when an empty
  argument appears anywhere in the arguments list, always causing the
  program to immediately die with this error.

  This is a simply baffling message to be encountering when the problem
  is really an empty argument.

  Expected behaviour: Either flatly ignore the empty argument, or at
  most trigger a warning (eg, "warning: saw empty argument"). It should
  not at all prevent the program from running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911188/+subscriptions

[Bug 1908626] Re: Atomic test-and-set instruction does not work on qemu-user

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908626

Title:
  Atomic test-and-set instruction does not work on qemu-user

Status in QEMU:
  Expired

Bug description:
  I try to compile and run PostgreSQL/Greenplum database inside docker 
container/qemu-aarch64-static:
  ```
   host: CentOS7 x86_64
   container: centos:centos7.9.2009 --platform linux/arm64/v8
   qemu-user-static: https://github.com/multiarch/qemu-user-static/releases/
  ```

  However, GP/PG's spinlock always gets stuck and reports PANIC errors. It 
seems its spinlock
  has something wrong.
  ```
  https://github.com/greenplum-db/gpdb/blob/master/src/include/storage/s_lock.h
  
https://github.com/greenplum-db/gpdb/blob/master/src/backend/storage/lmgr/s_lock.c
  ```

  So I extract its spinlock implementation into one test C source file (see 
attachment file),
  and get reprodcued:

  ```
  $ gcc spinlock_qemu.c
  $ ./a.out 
  C -- slock inited, lock value is: 0
  parent 139642, child 139645
  P -- slock lock before, lock value is: 0
  P -- slock locked, lock value is: 1
  P -- slock unlock after, lock value is: 0
  C -- slock lock before, lock value is: 1
  P -- slock lock before, lock value is: 1
  C -- slock locked, lock value is: 1
  C -- slock unlock after, lock value is: 0
  C -- slock lock before, lock value is: 1
  P -- slock locked, lock value is: 1
  P -- slock unlock after, lock value is: 0
  P -- slock lock before, lock value is: 1
  C -- slock locked, lock value is: 1
  C -- slock unlock after, lock value is: 0
  P -- slock locked, lock value is: 1
  C -- slock lock before, lock value is: 1
  P -- slock unlock after, lock value is: 0
  C -- slock locked, lock value is: 1
  P -- slock lock before, lock value is: 1
  C -- slock unlock after, lock value is: 0
  P -- slock locked, lock value is: 1
  C -- slock lock before, lock value is: 1
  P -- slock unlock after, lock value is: 0
  C -- slock locked, lock value is: 1
  P -- slock lock before, lock value is: 1
  C -- slock unlock after, lock value is: 0
  P -- slock locked, lock value is: 1
  C -- slock lock before, lock value is: 1
  P -- slock unlock after, lock value is: 0
  P -- slock lock before, lock value is: 1
  spin timeout, lock value is 1 (pid 139642)
  spin timeout, lock value is 1 (pid 139645)
  spin timeout, lock value is 1 (pid 139645)
  spin timeout, lock value is 1 (pid 139642)
  spin timeout, lock value is 1 (pid 139645)
  spin timeout, lock value is 1 (pid 139642)
  ...
  ...
  ...
  ```

  NOTE: this code always works on PHYSICAL ARM64 server.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908626/+subscriptions

[Bug 1913913] Re: i386-linux-user returns -1 in sigcontext->trapno

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913913

Title:
  i386-linux-user returns -1 in sigcontext->trapno

Status in QEMU:
  Expired

Bug description:
  QEMU development version, git commit
  74208cd252c5da9d867270a178799abd802b9338. Behaviour has been noted in
  5.2.0 generally.

  Certain 16-bit windows programs crash WINE under QEMU linux-user with:

  0084:err:seh:segv_handler Got unexpected trap -1
  wine: Unhandled illegal instruction at address 6D65 (thread 0084), 
starting debugger...

  They run correctly on native i386.

  Upon further inspection,it becomes clear these programs are failing at
  addresses where they are making DOS calls (int 21h ie CD 21 for
  instance).

  It is also clear that WINE is expecting an exception/signal at this
  point, to patch in the actual int21h handling code inside WINE.

  However, wine uses sigcontext output extensively to do its structured
  exception handling. sigcontext->trapno being set to -1 seems to
  confuse it, causing it to treat the exception as an actual unhandled
  error.

  I do not know if exception_index is being left at -1 due to the case
  of privileged instructions being executed in 16-bit ldts not being
  handled specifically, or if there is some other illegal instruction
  case causing this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913913/+subscriptions

[Bug 1913315] Re: qemu-system-x86_64 crash: in memory_region_access_valid+0x13

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913315

Title:
  qemu-system-x86_64 crash: in memory_region_access_valid+0x13

Status in QEMU:
  Expired

Bug description:
  Recently we started to get intermittent qemu crashes. There is
  catchsegv report:

  ```
  + qemu-system-x86_64 -m 77766M -smp 8 -nodefaults -nographic -no-reboot 
-fsdev local,id=root,path=/,security_model=none,multidevs=remap -device 
virtio-9p-pci,fsdev=root,mount_tag=/dev/root -device virtio-rng-pci -serial 
mon:stdio -kernel 
/usr/src/tmp/kernel-image-rt-buildroot/boot/vmlinuz-4.19.165-rt-alt1.rt70 
-initrd /usr/src/tmp/initramfs-4.19.165-rt-alt1.rt70.img -bios bios.bin -append 
'console=ttyS0 mitigations=off nokaslr quiet panic=-1 no_timer_check'
  *** signal 11
  Register dump:

   RAX:    RBX: 03400340   RCX: 0001
   RDX: 0004   RSI: 0300   RDI: 03400340
   RBP: 0300   R8 :    R9 : 03400340
   R10: 0370   R11: 0002   R12: 0004
   R13: 0004   R14: 55b473fef5e0   R15: 0002
   RSP: 7fd7edffae90

   RIP: 55b4717ef653   EFLAGS: 00010206

   CS: 0033   FS:    GS: 

   Trap: 000e   Error: 0004   OldMask: 7ffbfa77   CR2: 0388

   FPUCW: 037f   FPUSW:    TAG: 
   RIP:    RDP: 

   ST(0)     ST(1)  
   ST(2)     ST(3)  
   ST(4)     ST(5)  
   ST(6)     ST(7)  
   mxcsr: 1fa0
   XMM0:   XMM1:  

   XMM2:   XMM3:  

   XMM4:   XMM5:  

   XMM6:   XMM7:  

   XMM8:   XMM9:  

   XMM10:  XMM11: 

   XMM12:  XMM13: 

   XMM14:  XMM15: 


  Backtrace:
  qemu-system-x86_64(memory_region_access_valid+0x13)[0x55b4717ef653]
  qemu-system-x86_64(memory_region_dispatch_write+0x48)[0x55b4717ef8c8]
  qemu-system-x86_64(+0x69fdfc)[0x55b471851dfc]
  qemu-system-x86_64(helper_le_stl_mmu+0x2c5)[0x55b471858995]
  [0x7feaed070925]

  ```
  QEMU release 5.2.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913315/+subscriptions

[Bug 1913926] Re: [QEMU User-Mode] Mesa Fails To Load RadeonSI Driver When In Docker Image

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913926

Title:
  [QEMU User-Mode] Mesa Fails To Load RadeonSI Driver When In Docker
  Image

Status in QEMU:
  Expired

Bug description:
  # System Details
  AMD Ryzen 7 3700U
  Ubuntu 20.04 Focal Focus

  # Dockerfile

  FROM arm32v7/debian:bullseye

  RUN apt-get update && apt-get install -y mesa-utils

  ENTRYPOINT glxgears

  # Instructions For Reproduction
  1. Install Docker
  2. Build Docker Image: docker build --tag mesa-arm-test .
  3. Run: docker run -v /tmp/.X11-unix:/tmp/.X11-unix --device 
/dev/dri:/dev/dri -e "DISPLAY=${DISPLAY}" mesa-arm-test

  The Output Is:

  amdgpu_device_initialize: amdgpu_query_info(ACCEL_WORKING) failed (-38)
  amdgpu: amdgpu_device_initialize failed.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: radeonsi
  libGL error: failed to get magic
  libGL error: failed to load driver: radeonsi

  It then appears to run using software rendering.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913926/+subscriptions

[Bug 1912857] Re: virtio-serial blocks hostfwd ssh on windows 10 host

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1912857

Title:
  virtio-serial blocks hostfwd ssh on windows 10 host

Status in QEMU:
  Expired

Bug description:
  qemu-system-x86_64
    -display none
    -hda archlinux.qcow2
    -m 4G
    -netdev user,id=n1,hostfwd=tcp::-:22
    -device virtio-net-pci,netdev=n1

  --> THIS WORKS - meaning I can ssh into the vm via port 

  qemu-system-x86_64
    -display none
    -hda archlinux.qcow2
    -m 4G
    -netdev user,id=n1,hostfwd=tcp::-:22
    -device virtio-net-pci,netdev=n1
    -device virtio-serial
    -device virtserialport,chardev=cid0
    -chardev socket,id=cid0,host=localhost,port=55298,server,nowait

  --> DOES NOT WORK - meaning I cannot ssh into the vm

  Not only does the port  not work, but I am not able to perform any
  serial transfer on port 55298 as well.

  The following doesn't work either:

  qemu-system-x86_64
    -display none
    -hda archlinux.qcow2
    -m 4G
    -netdev user,id=n1,hostfwd=tcp::-:22
    -device virtio-net-pci,netdev=n1
    -device virtio-serial
    -device virtserialport,chardev=cid0
    -chardev file,id=cid0,path=mypath

  No matter which character device I use for my virtserialport
  communication (socket or udp or file or pipe), the hostfwd doesn't
  work.

  Also, if I enable the display, I am unable to type anything in the
  emulator window when I use virtserialport.

  Host: Windows 10
  Guest: archlinux
  QEMU version 5.2

  The same thing works just fine on a Mac OS X host (tested on Big Sur)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1912857/+subscriptions

[Bug 1913505] Re: Windows XP slow on Apple M1

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913505

Title:
  Windows XP slow on Apple M1

Status in QEMU:
  Expired

Bug description:
  Qemu installed by using brew install qemu -s on M1

  QEMU emulator version 5.2.0
  XP image from: https://archive.org/details/WinXPProSP3x86

  Commands run:
  $ qemu-img create -f qcow2 xpsp3.img 10G
  $ qemu-system-i386 -m 512 -hda xpsp3.img -cdrom 
WinXPProSP3x86/en_windows_xp_professional_with_service_pack_3_x86_cd_vl_x14-73974.iso
 -boot d

  It's taken 3 days now with qemu running at around 94% CPU and
  installation hasn't finished. The mouse pointer moves and occasionally
  changes between the pointer and hourglass so it doesn't seem to have
  frozen.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913505/+subscriptions

[Bug 1914294] Re: Windows XP displays black screen when smp option is used

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914294

Title:
  Windows XP displays black screen when smp option is used

Status in QEMU:
  Expired

Bug description:
  When I use Windows XP with the -smp option, the screen goes black. The
  only thing I can see is a cursor. I have tried -smp 2, -smp cores=4,
  and -smp cores=2.

  My info:

  Host:
  M1 Mac
  Mac OS 11.1
  QEMU 5.2 at cf7ca7d5b9faca13f1f8e3ea92cfb2f741eb0c0e.

  Guest:
  32-bit Windows XP SP3 build 2600.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914294/+subscriptions

[Bug 1914021] Re: qemu: uncaught target signal 4 (Illegal instruction) but gdb remote-debug exited normally

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914021

Title:
  qemu: uncaught target signal 4 (Illegal instruction) but gdb remote-
  debug exited normally

Status in QEMU:
  Expired

Bug description:
  I'm getting Illegal instruction (core dumped) when running the
  attached a.out_err binary in qemu, but when using Gdb to remote-debug
  the program, it exited normally. will appreciate if you can help look
  into this qemu issue.

  readelf -h a.out_err
  ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data:  2's complement, little endian
Version:   1 (current)
OS/ABI:UNIX - System V
ABI Version:   0
Type:  EXEC (Executable file)
Machine:   ARM
Version:   0x1
Entry point address:   0x8220
Start of program headers:  52 (bytes into file)
Start of section headers:  54228 (bytes into file)
Flags: 0x5000200, Version5 EABI, soft-float ABI
Size of this header:   52 (bytes)
Size of program headers:   32 (bytes)
Number of program headers: 3
Size of section headers:   40 (bytes)
Number of section headers: 16
Section header string table index: 15

  qemu-arm version 4.0.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914021/+subscriptions

[Bug 1914667] Re: High cpu usage when guest is idle on qemu-system-i386

2021-07-11 Thread Launchpad Bug Tracker 
[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1914667

Title:
  High cpu usage when guest is idle on qemu-system-i386

Status in QEMU:
  Expired

Bug description:
  When running Windows XP in qemu-system-i386, the cpu usage of QEMU is
  about 100% even when the guest CPU usage is close to 2%. The host cpu
  usage should be low when the guest cpu usage is low.

  Command: qemu-system-i386 -hda 

  Using this command also shows around 100% host CPU usage:
  qemu-system-i386 -m 700 -hda  -usb -device usb-audio 
-net nic,model=rtl8139 -net user -hdb mountable.img -soundhw pcspk

  Using the Penryn CPU option also saw this problem:
  qemu-system-i386 -hda  -m 700 -cpu Penryn-v1

  Using "-cpu pentium2" saw the same high host cpu usage.

  
  My Info:
  M1 MacBook Air
  Mac OS 11.1
  qemu-system-i386 version 5.2 (1ba089f2255bfdb071be3ce6ac6c3069e8012179)
  Windows XP SP3 Build 2600

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1914667/+subscriptions

[PATCH] vfio/pci: Add pba_offset PCI quirk for BAIDU KUNLUN AI processor

2021-07-11 Thread Cai Huoqing 
Fix pba_offset initialization value for BAIDU KUNLUN Virtual
Function device. The KUNLUN hardware returns an incorrect
value for the VF PBA offset, and add a quirk to instead
return a hardcoded value of 0xb400.

Signed-off-by: Cai Huoqing 
---
 hw/vfio/pci.c| 8 
 include/hw/pci/pci_ids.h | 4 
 2 files changed, 12 insertions(+)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index ab4077aad2..72b7abf623 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -1499,6 +1499,14 @@ static void vfio_msix_early_setup(VFIOPCIDevice *vdev, 
Error **errp)
 if (vdev->vendor_id == PCI_VENDOR_ID_CHELSIO &&
 (vdev->device_id & 0xff00) == 0x5800) {
 msix->pba_offset = 0x1000;
+/*
+ * BAIDU KUNLUN Virtual Function devices are encoded as 0x3685 for
+ * KUNLUN AI processor. The KUNLUN hardware returns an incorrect
+ * value for the VF PBA offset. The correct value is 0xb400.
+ */
+} else if (vdev->vendor_id == PCI_VENDOR_ID_BAIDU &&
+   vdev->device_id == PCI_DEVICE_ID_KUNLUN_VF) {
+msix->pba_offset = 0xb400;
 } else if (vdev->msix_relo == OFF_AUTOPCIBAR_OFF) {
 error_setg(errp, "hardware reports invalid configuration, "
"MSIX PBA outside of specified BAR");
diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h
index 5c14681b82..bc73c50277 100644
--- a/include/hw/pci/pci_ids.h
+++ b/include/hw/pci/pci_ids.h
@@ -227,6 +227,10 @@
 #define PCI_VENDOR_ID_FREESCALE  0x1957
 #define PCI_DEVICE_ID_MPC8533E   0x0030
 
+#define PCI_VENDOR_ID_BAIDU  0x1d22
+#define PCI_DEVICE_ID_KUNLUN 0x3684
+#define PCI_DEVICE_ID_KUNLUN_VF  0x3685
+
 #define PCI_VENDOR_ID_INTEL  0x8086
 #define PCI_DEVICE_ID_INTEL_823780x0484
 #define PCI_DEVICE_ID_INTEL_824410x1237
-- 
2.25.1

Re: [PATCH v4 1/3] qapi/qdev.json: add DEVICE_UNPLUG_ERROR QAPI event

2021-07-11 Thread David Gibson 
On Thu, Jul 08, 2021 at 03:01:20PM +0200, Markus Armbruster wrote:
> Daniel Henrique Barboza  writes:
> 
> > At this moment we only provide one event to report a hotunplug error,
> > MEM_UNPLUG_ERROR. As of Linux kernel 5.12 and QEMU 6.0.0, the pseries
> > machine is now able to report unplug errors for other device types, such
> > as CPUs.
> >
> > Instead of creating a (device_type)_UNPLUG_ERROR for each new device,
> > create a generic DEVICE_UNPLUG_ERROR event that can be used by all
> > unplug errors in the future.
> >
> > With this new generic event, MEM_UNPLUG_ERROR is now marked as deprecated.
> >
> > Reviewed-by: David Gibson 
> > Signed-off-by: Daniel Henrique Barboza 
> > ---
> >  docs/system/deprecated.rst | 10 ++
> >  qapi/machine.json  |  6 +-
> >  qapi/qdev.json | 27 ++-
> >  3 files changed, 41 insertions(+), 2 deletions(-)
> >
> > diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
> > index 70e08baff6..ca6c7f9d43 100644
> > --- a/docs/system/deprecated.rst
> > +++ b/docs/system/deprecated.rst
> > @@ -204,6 +204,16 @@ The ``I7200`` guest CPU relies on the nanoMIPS ISA, 
> > which is deprecated
> >  (the ISA has never been upstreamed to a compiler toolchain). Therefore
> >  this CPU is also deprecated.
> >  
> > +
> > +QEMU API (QAPI) events
> > +--
> > +
> > +``MEM_UNPLUG_ERROR`` (since 6.1)
> > +
> > +
> > +Use the more generic event ``DEVICE_UNPLUG_ERROR`` instead.
> > +
> > +
> >  System emulator machines
> >  
> >  
> > diff --git a/qapi/machine.json b/qapi/machine.json
> > index c3210ee1fb..a595c753d2 100644
> > --- a/qapi/machine.json
> > +++ b/qapi/machine.json
> > @@ -1271,6 +1271,9 @@
> >  #
> >  # @msg: Informative message
> >  #
> > +# Features:
> > +# @deprecated: This event is deprecated. Use @DEVICE_UNPLUG_ERROR instead.
> > +#
> >  # Since: 2.4
> >  #
> >  # Example:
> > @@ -1283,7 +1286,8 @@
> >  #
> >  ##
> >  { 'event': 'MEM_UNPLUG_ERROR',
> > -  'data': { 'device': 'str', 'msg': 'str' } }
> > +  'data': { 'device': 'str', 'msg': 'str' },
> > +  'features': ['deprecated'] }
> >  
> >  ##
> >  # @SMPConfiguration:
> > diff --git a/qapi/qdev.json b/qapi/qdev.json
> > index b83178220b..349d7439fa 100644
> > --- a/qapi/qdev.json
> > +++ b/qapi/qdev.json
> > @@ -84,7 +84,9 @@
> >  #This command merely requests that the guest begin the hot removal
> >  #process.  Completion of the device removal process is signaled 
> > with a
> >  #DEVICE_DELETED event. Guest reset will automatically complete 
> > removal
> > -#for all devices.
> > +#for all devices. If an error in the hot removal process is 
> > detected,
> > +#the device will not be removed and a DEVICE_UNPLUG_ERROR event is
> > +#sent.
> 
> "If an error ... is detected" kind of implies that some errors may go
> undetected.  Let's spell this out more clearly.  Perhaps append "Some
> errors cannot be detected."
> 
> DEVICE_UNPLUG_ERROR's unrelability is awkward.  Best we can do in the
> general case.  Can we do better in special cases, and would it be
> worthwhile?  If yes, it should probably be done on top.

I can't rule out such a special case entirely, but it's pretty hard to
imagine.  If we need any kind of acknowledgement from the guest to
complete the unplug, then the unplug failing but the guest never
reporting anything is going to be indistinguishable from the guest
working on the unplug but being super slow.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH] ppc/pegasos2: Allow setprop in VOF

2021-07-11 Thread David Gibson 
On Fri, Jul 09, 2021 at 03:19:13PM +0200, BALATON Zoltan wrote:
> Linux needs setprop to fix up the device tree, otherwise it's not
> finding devices and cannot boot. Since recent VOF change now we need
> to add a callback to allow this which is what this patch does.
> 
> Signed-off-by: BALATON Zoltan 

Applied to ppc-for-6.1.

> ---
>  hw/ppc/pegasos2.c | 10 ++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
> index 5c4e2ae8bf..f25816082c 100644
> --- a/hw/ppc/pegasos2.c
> +++ b/hw/ppc/pegasos2.c
> @@ -443,10 +443,17 @@ static target_ulong 
> vhyp_encode_hpt_for_kvm_pr(PPCVirtualHypervisor *vhyp)
>  return POWERPC_CPU(current_cpu)->env.spr[SPR_SDR1];
>  }
>  
> +static bool pegasos2_setprop(MachineState *ms, const char *path,
> + const char *propname, void *val, int vallen)
> +{
> +return true;
> +}
> +
>  static void pegasos2_machine_class_init(ObjectClass *oc, void *data)
>  {
>  MachineClass *mc = MACHINE_CLASS(oc);
>  PPCVirtualHypervisorClass *vhc = PPC_VIRTUAL_HYPERVISOR_CLASS(oc);
> +VofMachineIfClass *vmc = VOF_MACHINE_CLASS(oc);
>  
>  mc->desc = "Genesi/bPlan Pegasos II";
>  mc->init = pegasos2_init;
> @@ -462,6 +469,8 @@ static void pegasos2_machine_class_init(ObjectClass *oc, 
> void *data)
>  vhc->cpu_exec_enter = vhyp_nop;
>  vhc->cpu_exec_exit = vhyp_nop;
>  vhc->encode_hpt_for_kvm_pr = vhyp_encode_hpt_for_kvm_pr;
> +
> +vmc->setprop = pegasos2_setprop;
>  }
>  
>  static const TypeInfo pegasos2_machine_info = {
> @@ -471,6 +480,7 @@ static const TypeInfo pegasos2_machine_info = {
>  .instance_size = sizeof(Pegasos2MachineState),
>  .interfaces = (InterfaceInfo[]) {
>  { TYPE_PPC_VIRTUAL_HYPERVISOR },
> +{ TYPE_VOF_MACHINE_IF },
>  { }
>  },
>  };

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

RE: [PATCH v3 26/40] tests/tcg: make test-mmap a little less aggressive

2021-07-11 Thread Taylor Simpson 


> -Original Message-
> From: Alex Bennée 
> Sent: Friday, July 9, 2021 8:30 AM
> To: qemu-devel@nongnu.org
> Cc: f...@euphon.net; berra...@redhat.com; f4...@amsat.org;
> aurel...@aurel32.net; pbonz...@redhat.com; stefa...@redhat.com;
> cr...@redhat.com; c...@braap.org; aa...@os.amperecomputing.com;
> kuhn.chen...@huawei.com; robhe...@microsoft.com;
> mahmoudabdalgh...@outlook.com; miny...@uci.edu;
> ma.mando...@gmail.com; Alex Bennée ; Taylor
> Simpson 
> Subject: [PATCH v3 26/40] tests/tcg: make test-mmap a little less aggressive
> 
> The check_aligned_anonymous_unfixed_mmaps and
> check_aligned_anonymous_unfixed_colliding_mmaps do a lot of mmap's
> and copying of data. This is especially unfriendly to targets like hexagon
> which have quite large pages and need to do sanity checks on each memory
> access.
> 
> While we are at it clean-up the white space and style issues from the legacy
> code. As we no longer do quite so much needless memory access we can
> also remove the hexagon timeout hack.
> 
> Signed-off-by: Alex Bennée 
> 
> ---
> v3
>   - style and whitespace cleanups, reduce loop even further.
>   - remove hexagon timeout hack
> ---
>  tests/tcg/multiarch/test-mmap.c   | 208 +++---
>  tests/tcg/hexagon/Makefile.target |   9 --
>  2 files changed, 104 insertions(+), 113 deletions(-)


Reviewed-by: Taylor Simpson

Re: intermittent hang in qos-test for qemu-system-i386 on 32-bit arm host

2021-07-11 Thread Coiby Xu 

On Mon, Jul 12, 2021 at 06:20:33AM +0800, Coiby Xu wrote:

On Sun, Jul 11, 2021 at 04:53:51PM +0100, Peter Maydell wrote:

On Sat, 10 Jul 2021 at 14:30, Peter Maydell  wrote:


I've noticed recently that intermittently 'make check' will hang on
my aarch32 test system (really an aarch64 box with an aarch32 chroot).

I think from grep that this must be the vhost-user-blk test.


I've also now seen this on qemu-system-i386 guest x86-64 Linux host:


Good to to know that! This makes it much easier for me to debug this
issue.


Which i386 image do you use for the guest? Could you share the download
link? I can't find a suitable i386 qcow2 image. For example, [1] is
outdated.

[1] http://people.debian.org/~aurel32/qemu

--
Best regards,
Coiby

Re: intermittent hang in qos-test for qemu-system-i386 on 32-bit arm host

2021-07-11 Thread Coiby Xu 

On Sun, Jul 11, 2021 at 04:53:51PM +0100, Peter Maydell wrote:

On Sat, 10 Jul 2021 at 14:30, Peter Maydell  wrote:


I've noticed recently that intermittently 'make check' will hang on
my aarch32 test system (really an aarch64 box with an aarch32 chroot).

I think from grep that this must be the vhost-user-blk test.


I've also now seen this on qemu-system-i386 guest x86-64 Linux host:


Good to to know that! This makes it much easier for me to debug this
issue.



Process tree:
petmay01 28992  0.0  0.0 123812  8612 ?Sl   14:46   0:01
  \_ tests/qtest/qos-test --tap -k -m quick
petmay01 30068  0.0  0.0 379204 20580 ?Sl   14:46   0:00
  |   \_ ./storage-daemon/qemu-storage-daemon
--blockdev driver=file,node-name=disk0,filename=qtest.6kY6px --export
type=vhost-user-blk,id=disk0,addr.type=unix,addr.path=/tmp/qtest-28992-sock.4Kgtk1,node-name=disk0,writable=on,num-queues=1
petmay01 30070  0.0  0.1 1083248 63748 ?   Sl   14:46   0:00
  |   \_ ./qemu-system-i386 -qtest
unix:/tmp/qtest-28992.sock -qtest-log /dev/null -chardev
socket,path=/tmp/qtest-28992.qmp,id=char0 -mon
chardev=char0,mode=control -display none -M pc -device
vhost-user-blk-pci,id=drv0,chardev=char1,addr=4.0 -object
memory-backend-memfd,id=mem,size=256M,share=on -M memory-backend=mem
-m 256M -chardev socket,id=char1,path=/tmp/qtest-28992-sock.4Kgtk1
-accel qtest


Backtrace, qos-test:
(gdb) thread apply all bt

Thread 2 (Thread 0x7fd086f1c700 (LWP 28995)):
#0  syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1  0x56448599484b in qemu_futex_wait (val=,
f=)
   at /mnt/nvmedisk/linaro/qemu-for-merges/include/qemu/futex.h:29
#2  qemu_event_wait (ev=ev@entry=0x564485c322e8 )
   at ../../util/qemu-thread-posix.c:480
#3  0x56448599dc18 in call_rcu_thread (opaque=opaque@entry=0x0) at
../../util/rcu.c:258
#4  0x564485993966 in qemu_thread_start (args=)
   at ../../util/qemu-thread-posix.c:541
#5  0x7fd088b446db in start_thread (arg=0x7fd086f1c700) at
pthread_create.c:463
#6  0x7fd08886d71f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7fd089d9a900 (LWP 28992)):
#0  0x7fd088b4e474 in __libc_read (fd=6,
buf=buf@entry=0x7fff05f024f0, nbytes=nbytes@entry=1024)
   at ../sysdeps/unix/sysv/linux/read.c:27
#1  0x564485947cb2 in read (__nbytes=1024, __buf=0x7fff05f024f0,
__fd=)
   at /usr/include/x86_64-linux-gnu/bits/unistd.h:44
#2  qtest_client_socket_recv_line (s=0x5644866f38b0) at
../../tests/qtest/libqtest.c:494
#3  0x564485947e61 in qtest_rsp_args (s=s@entry=0x5644866f38b0,
   expected_args=expected_args@entry=1) at ../../tests/qtest/libqtest.c:521
#4  0x56448594846f in qtest_query_target_endianness (s=0x5644866f38b0)
   at ../../tests/qtest/libqtest.c:570
#5  0x564485948ed2 in qtest_init_without_qmp_handshake
(extra_args=)
   at ../../tests/qtest/libqtest.c:332
#6  0x564485949616 in qtest_init (extra_args=) at
../../tests/qtest/libqtest.c:339
#7  0x5644859338cd in qtest_start (
   args=0x5644866f6d00 "-M pc  -device
vhost-user-blk-pci,id=drv0,chardev=char1,addr=4.0 -object
memory-backend-memfd,id=mem,size=256M,share=on  -M memory-backend=mem
-m 256M -chardev socket,id=char1,path=/tmp/qtest-28992-so"...) at
../../tests/qtest/libqtest-single.h:29
#8  restart_qemu_or_continue (
   path=0x5644866f6d00 "-M pc  -device
vhost-user-blk-pci,id=drv0,chardev=char1,addr=4.0 -object
memory-backend-memfd,id=mem,size=256M,share=on  -M memory-backend=mem
-m 256M -chardev socket,id=char1,path=/tmp/qtest-28992-so"...) at
../../tests/qtest/qos-test.c:105
#9  run_one_test (arg=) at ../../tests/qtest/qos-test.c:178
#10 0x7fd08990c05a in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x7fd08990c232 in g_test_run_suite () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x7fd08990c251 in g_test_run () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x564485932359 in main (argc=, argv=, envp=)
   at ../../tests/qtest/qos-test.c:338

Backtrace, qemu-system-i386:Thread 4 (Thread 0x7f965ac7f700 (LWP 30079)):
#0  0x7f9674b6938c in __GI___sigtimedwait (set=,
   set@entry=0x7f965ac7c090, info=info@entry=0x7f965ac7bfd0,
timeout=timeout@entry=0x0)
   at ../sysdeps/unix/sysv/linux/sigtimedwait.c:42
#1  0x7f9674f2c54c in __sigwait (set=set@entry=0x7f965ac7c090,
sig=sig@entry=0x7f965ac7c08c)
   at

Re: intermittent hang in qos-test for qemu-system-i386 on 32-bit arm host

2021-07-11 Thread Coiby Xu 

On Sun, Jul 11, 2021 at 06:23:41AM -0700, Richard Henderson wrote:

On 7/11/21 5:16 AM, Peter Maydell wrote:

On Sun, 11 Jul 2021 at 13:10, Coiby Xu  wrote:


Hi Peter,

On Sat, Jul 10, 2021 at 02:30:36PM +0100, Peter Maydell wrote:

I've noticed recently that intermittently 'make check' will hang on
my aarch32 test system (really an aarch64 box with an aarch32 chroot).


I have a newbie question. How do you do an aarch32 chroot on an aarch64
box? At least, this issue seems to be not reproducible on an aarch64 box
directly. I specifically ran the qos-test for 5 consecutive times and
each time the test could finish successfully,


Your aarch64 host CPU needs to support aarch32 at EL0 (some
AArch64 CPUs are pure-64 bit these days). The host kernel needs
to implement the 32-bit compat layer. It probably also needs to be
built for 4K pages (which mostly means "not RedHat"). Then you can
set up the 32-bit chroot however you'd normally set up a chroot
(for Debian you can do this with debootstrap; other distros will vary;
schroot is also a bit nicer than raw chroot IMHO.)


If you do have a kernel built with 64k pages ("RedHat"), but you do 
have a host cpu that supports aarch32 at EL1 and EL0, then you can run 
aarch32 under KVM.


The command-line I use is

../run/bin/qemu-system-aarch64 -m 4096 -smp 8 -nographic \
 -M virt -cpu host,aarch64=off --accel kvm \
 -kernel vmlinuz-4.19.0-16-armmp-lpae \
 -initrd initrd.img-4.19.0-16-armmp-lpae \
 -append 'console=ttyAMA0 root=/dev/vda2' \
 -drive if=none,file=hda.q,format=qcow2,id=hd,discard=on \
 -device virtio-blk-device,drive=hd \
 -netdev tap,id=tap0,br=virbr0,helper=/usr/libexec/qemu-bridge-helper \
 -device virtio-net-device,netdev=tap0

I believe that I had to perform the install under tcg because I 
couldn't find the right magic to boot off the debian cdrom with kvm.


Thanks for the instructions! Since this issue is also reproducible on 
qemu-system-i386 guest x86-64 Linux host according to Peter's new email, 
I'll check it on i386 guest first.





r~


--
Best regards,
Coiby

[PULL RESEND 00/19] MIPS patches for 2021-07-11

2021-07-11 Thread Philippe Mathieu-Daudé 
The following changes since commit 9516034d05a8c71ef157a59f525e4c4f7ed79827:

  Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-6.1-2' into 
staging (2021-07-11 14:32:49 +0100)

are available in the Git repository at:

  https://github.com/philmd/qemu.git tags/mips-20210711

for you to fetch changes up to 39d9919f4b4c3e7f230efd7d845439d6d732dc89:

  dp8393x: don't force 32-bit register access (2021-07-11 22:29:54 +0200)


MIPS patches queue

- Rename Raven ASIC PCI bridge, add PCI_IO_BASE_ADDR definition
- Various Toshiba TX79 opcodes implemented
- Rewrite UHI errno_mips() using switch statement
- Few fixes and improvements in the SONIC model (dp8393x)



Mark Cave-Ayland (2):
  dp8393x: fix CAM descriptor entry index
  dp8393x: don't force 32-bit register access

Philippe Mathieu-Daudé (17):
  hw/pci-host: Rename Raven ASIC PCI bridge as raven.c
  hw/pci-host/raven: Add PCI_IO_BASE_ADDR definition
  target/mips/tx79: Introduce PAND/POR/PXOR/PNOR opcodes (parallel
logic)
  target/mips/tx79: Introduce PSUB* opcodes (Parallel Subtract)
  target/mips/tx79: Introduce PEXTUW (Parallel Extend Upper from Word)
  target/mips/tx79: Introduce PEXTL[BHW] opcodes (Parallel Extend Lower)
  target/mips/tx79: Introduce PCEQ* opcodes (Parallel Compare for Equal)
  target/mips/tx79: Introduce PCGT* (Parallel Compare for Greater Than)
  target/mips/tx79: Introduce PPACW opcode (Parallel Pack to Word)
  target/mips/tx79: Introduce PROT3W opcode (Parallel Rotate 3 Words)
  target/mips/tx79: Introduce LQ opcode (Load Quadword)
  target/mips/tx79: Introduce SQ opcode (Store Quadword)
  target/mips: Rewrite UHI errno_mips() using switch statement
  dp8393x: Replace address_space_rw(is_write=1) by address_space_write()
  dp8393x: Replace 0x40 magic value by SONIC_REG_COUNT definition
  dp8393x: Store CAM registers as 16-bit
  dp8393x: Rewrite dp8393x_get() / dp8393x_put()

 target/mips/tcg/tx79.decode|  34 +++
 hw/net/dp8393x.c   | 208 +++-
 hw/pci-host/{prep.c => raven.c}|  11 +-
 target/mips/tcg/sysemu/mips-semi.c |  24 +-
 target/mips/tcg/translate.c|  16 +-
 target/mips/tcg/tx79_translate.c   | 382 +
 MAINTAINERS|   2 +-
 hw/pci-host/Kconfig|   2 +-
 hw/pci-host/meson.build|   2 +-
 hw/ppc/Kconfig |   2 +-
 10 files changed, 526 insertions(+), 157 deletions(-)
 rename hw/pci-host/{prep.c => raven.c} (97%)

-- 
2.31.1

[PULL 3/4] hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)

2021-07-11 Thread Philippe Mathieu-Daudé 
OSS-Fuzz found sending illegal addresses when querying the write
protection bits triggers an assertion:

  qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): 
Assertion `wpnum < sd->wpgrps_size' failed.
  ==11578== ERROR: libFuzzer: deadly signal
  #8 0x7628e091 in __assert_fail
  #9 0x588f1a3c in sd_wpbits hw/sd/sd.c:824:9
  #10 0x588dd271 in sd_normal_command hw/sd/sd.c:1383:38
  #11 0x588d777c in sd_do_command hw/sd/sd.c
  #12 0x58cb25a0 in sdbus_do_command hw/sd/core.c:100:16
  #13 0x58e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12
  #14 0x58dffa46 in sdhci_write hw/sd/sdhci.c:1187:9
  #15 0x598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5

Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check
for multi block reads"), check the address range before sending
the status of the write protection bits.

Include the qtest reproducer provided by Alexander Bulekov:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < 
sd->wpgrps_size' failed.

Reported-by: OSS-Fuzz (Issue 29225)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Bin Meng 
Reviewed-by: Alexander Bulekov 
Message-Id: <20210702155900.148665-4-f4...@amsat.org>
---
 hw/sd/sd.c |  5 +++
 tests/qtest/fuzz-sdcard-test.c | 66 ++
 MAINTAINERS|  3 +-
 tests/qtest/meson.build|  1 +
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 tests/qtest/fuzz-sdcard-test.c

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 9c8dd11bad1..c753ae24ba9 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1379,6 +1379,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
SDRequest req)
 
 switch (sd->state) {
 case sd_transfer_state:
+if (!address_in_range(sd, "SEND_WRITE_PROT",
+  req.arg, sd->blk_len)) {
+return sd_r1;
+}
+
 sd->state = sd_sendingdata_state;
 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
 sd->data_start = addr;
diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
new file mode 100644
index 000..96602eac7e5
--- /dev/null
+++ b/tests/qtest/fuzz-sdcard-test.c
@@ -0,0 +1,66 @@
+/*
+ * QTest fuzzer-generated testcase for sdcard device
+ *
+ * Copyright (c) 2021 Philippe Mathieu-Daudé 
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "libqos/libqtest.h"
+
+/*
+ * https://gitlab.com/qemu-project/qemu/-/issues/450
+ * Used to trigger:
+ *  Assertion `wpnum < sd->wpgrps_size' failed.
+ */
+static void oss_fuzz_29225(void)
+{
+QTestState *s;
+
+s = qtest_init(" -display none -m 512m -nodefaults -nographic"
+   " -device sdhci-pci,sd-spec-version=3"
+   " -device sd-card,drive=d0"
+   " -drive if=none,index=0,file=null-co://,format=raw,id=d0");
+
+qtest_outl(s, 0xcf8, 0x80001010);
+qtest_outl(s, 0xcfc, 0xd0690);
+qtest_outl(s, 0xcf8, 0x80001003);
+qtest_outl(s, 0xcf8, 0x80001013);
+qtest_outl(s, 0xcfc, 0x);
+qtest_outl(s, 0xcf8, 0x80001003);
+qtest_outl(s, 0xcfc, 0x3effe00);
+
+qtest_bufwrite(s, 0xff0d062c, "\xff", 0x1);
+qtest_bufwrite(s, 0xff0d060f, "\xb7", 0x1);
+qtest_bufwrite(s, 0xff0d060a, "\xc9", 0x1);
+qtest_bufwrite(s, 0xff0d060f, "\x29", 0x1);
+qtest_bufwrite(s, 0xff0d060f, "\xc2", 0x1);
+qtest_bufwrite(s, 0xff0d0628, "\xf7", 0x1);
+qtest_bufwrite(s, 0x0, "\xe3", 0x1);
+qtest_bufwrite(s, 0x7, "\x13", 0x1);
+qtest_bufwrite(s, 0x8, "\xe3", 0x1);
+qtest_bufwrite(s, 0xf, "\xe3", 0x1);
+qtest_bufwrite(s, 0xff0d060f, "\x03", 0x1);
+qtest_bufwrite(s, 0xff0d0605, "\x01", 0x1);
+qtest_bufwrite(s, 0xff0d060b, "\xff", 0x1);
+qtest_bufwrite(s, 0xff0d060c, "\xff", 0x1);
+qtest_bufwrite(s, 0xff0d060e, "\xff", 0x1);
+qtest_bufwrite(s, 0xff0d060f, "\x06", 0x1);
+qtest_bufwrite(s, 0xff0d060f, "\x9e", 0x1);
+
+qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+const char *arch = qtest_get_arch();
+
+g_test_init(, , NULL);
+
+   if (strcmp(arch, "i386") == 0) {
+qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225);
+   }
+
+   return g_test_run();
+}
diff --git a/MAINTAINERS b/MAINTAINERS
index 40d095dbbde..0e4e3761ebc 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1824,7 +1824,8 @@ F: include/hw/sd/sd*
 F: hw/sd/core.c
 F: hw/sd/sd*
 F: hw/sd/ssi-sd.c
-F: tests/qtest/sd*
+F: tests/qtest/fuzz-sdcard-test.c
+F: tests/qtest/sdhci-test.c
 
 USB
 M: Gerd Hoffmann 
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index ee7347b7275..e22a0792c58 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -21,6 +21,7 @@

[PULL 4/4] hw/sd: sdhci: Enable 64-bit system bus capability in the default SD/MMC host controller

2021-07-11 Thread Philippe Mathieu-Daudé 
From: Joanne Koong 

The default SD/MMC host controller uses SD spec v2.00. 64-bit system bus 
capability
was added in v2.

In this change, we arrive at 0x157834b4 by computing (0x057834b4 | (1ul << 28))
where 28 represents the BUS64BIT SDHC_CAPAB field.

Signed-off-by: Joanne Koong 
Reviewed-by: Bin Meng 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20210623185921.24113-1-joanneko...@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/sd/sdhci-internal.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/sd/sdhci-internal.h b/hw/sd/sdhci-internal.h
index e8c753d6d1e..a76fc704e5e 100644
--- a/hw/sd/sdhci-internal.h
+++ b/hw/sd/sdhci-internal.h
@@ -316,16 +316,16 @@ extern const VMStateDescription sdhci_vmstate;
  * - 3.3v and 1.8v voltages
  * - SDMA/ADMA1/ADMA2
  * - high-speed
+ * - 64-bit system bus
  * max host controller R/W buffers size: 512B
  * max clock frequency for SDclock: 52 MHz
  * timeout clock frequency: 52 MHz
  *
  * does not support:
  * - 3.0v voltage
- * - 64-bit system bus
  * - suspend/resume
  */
-#define SDHC_CAPAB_REG_DEFAULT 0x057834b4
+#define SDHC_CAPAB_REG_DEFAULT 0x157834b4
 
 #define DEFINE_SDHCI_COMMON_PROPERTIES(_state) \
 DEFINE_PROP_UINT8("sd-spec-version", _state, sd_spec_version, 2), \
-- 
2.31.1

Re: [PATCH 3/9] tests/acceptance: Tag NetBSD tests as 'os:netbsd'

2021-07-11 Thread Philippe Mathieu-Daudé 
On 7/5/21 10:55 AM, Philippe Mathieu-Daudé wrote:
> Hi Niek,
> 
> On 7/4/21 2:35 PM, Niek Linnenbank wrote:
>> for test_arm_orangepi_uboot_netbsd9:
>>
>> Reviewed-by: Niek Linnenbank > >
> 
> Thanks for the review. Does your R-b tag applies for this single
> patch or all patches related to test_arm_orangepi_uboot_netbsd9
> in this series (3-5)?

Soft-freeze is in 2 days and no review from the NetBSD team,
so postponing these patches to v6.2.

Re: [PULL 0/9] Trivial branch for 6.1 patches

2021-07-11 Thread Peter Maydell 
On Fri, 9 Jul 2021 at 21:32, Laurent Vivier  wrote:
>
> The following changes since commit 05de778b5b8ab0b402996769117b88c7ea5c7c61:
>
>   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging 
> (2021-07-09 14:30:01 +0100)
>
> are available in the Git repository at:
>
>   git://github.com/vivier/qemu.git tags/trivial-branch-for-6.1-pull-request
>
> for you to fetch changes up to e28ffe90fde5702aa8716ac2fa1b4116cdcc9e61:
>
>   util/guest-random: Fix size arg to tail memcpy (2021-07-09 18:42:46 +0200)
>
> 
> Trivial patches pull request 20210709
>
> 


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

[PULL 18/19] dp8393x: Rewrite dp8393x_get() / dp8393x_put()

2021-07-11 Thread Philippe Mathieu-Daudé 
Instead of accessing N registers via a single address_space API
call using a temporary buffer (stored in the device state) and
updating each register, move the address_space call in the
register put/get. The load/store and word size checks are moved
to put/get too. This simplifies a bit, making the code easier
to read.

Co-developed-by: Philippe Mathieu-Daudé 
Co-developed-by: Mark Cave-Ayland 
Signed-off-by: Philippe Mathieu-Daudé 
Signed-off-by: Mark Cave-Ayland 
Tested-by: Mark Cave-Ayland 
Tested-by: Finn Thain 
Message-Id: <20210710174954.2577195-8-f4...@amsat.org>
---
 hw/net/dp8393x.c | 160 +++
 1 file changed, 63 insertions(+), 97 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 283de9db0bf..4057a263de3 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -163,7 +163,6 @@ struct dp8393xState {
 
 /* Temporaries */
 uint8_t tx_buffer[0x1];
-uint16_t data[12];
 int loopback_packet;
 
 /* Memory access */
@@ -220,34 +219,48 @@ static uint32_t dp8393x_wt(dp8393xState *s)
 return s->regs[SONIC_WT1] << 16 | s->regs[SONIC_WT0];
 }
 
-static uint16_t dp8393x_get(dp8393xState *s, int width, int offset)
+static uint16_t dp8393x_get(dp8393xState *s, hwaddr addr, int offset)
 {
+const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
 uint16_t val;
 
-if (s->big_endian) {
-val = be16_to_cpu(s->data[offset * width + width - 1]);
+if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
+addr += offset << 2;
+if (s->big_endian) {
+val = address_space_ldl_be(>as, addr, attrs, NULL);
+} else {
+val = address_space_ldl_le(>as, addr, attrs, NULL);
+}
 } else {
-val = le16_to_cpu(s->data[offset * width]);
+addr += offset << 1;
+if (s->big_endian) {
+val = address_space_lduw_be(>as, addr, attrs, NULL);
+} else {
+val = address_space_lduw_le(>as, addr, attrs, NULL);
+}
 }
+
 return val;
 }
 
-static void dp8393x_put(dp8393xState *s, int width, int offset,
-uint16_t val)
+static void dp8393x_put(dp8393xState *s,
+hwaddr addr, int offset, uint16_t val)
 {
-if (s->big_endian) {
-if (width == 2) {
-s->data[offset * 2] = 0;
-s->data[offset * 2 + 1] = cpu_to_be16(val);
+const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+
+if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
+addr += offset << 2;
+if (s->big_endian) {
+address_space_stl_be(>as, addr, val, attrs, NULL);
 } else {
-s->data[offset] = cpu_to_be16(val);
+address_space_stl_le(>as, addr, val, attrs, NULL);
 }
 } else {
-if (width == 2) {
-s->data[offset * 2] = cpu_to_le16(val);
-s->data[offset * 2 + 1] = 0;
+addr += offset << 1;
+if (s->big_endian) {
+address_space_stw_be(>as, addr, val, attrs, NULL);
 } else {
-s->data[offset] = cpu_to_le16(val);
+address_space_stw_le(>as, addr, val, attrs, NULL);
 }
 }
 }
@@ -278,12 +291,10 @@ static void dp8393x_do_load_cam(dp8393xState *s)
 
 while (s->regs[SONIC_CDC] & 0x1f) {
 /* Fill current entry */
-address_space_read(>as, dp8393x_cdp(s),
-   MEMTXATTRS_UNSPECIFIED, s->data, size);
-index = dp8393x_get(s, width, 0) & 0xf;
-s->cam[index][0] = dp8393x_get(s, width, 1);
-s->cam[index][1] = dp8393x_get(s, width, 2);
-s->cam[index][2] = dp8393x_get(s, width, 3);
+index = dp8393x_get(s, dp8393x_cdp(s), 0) & 0xf;
+s->cam[index][0] = dp8393x_get(s, dp8393x_cdp(s), 1);
+s->cam[index][1] = dp8393x_get(s, dp8393x_cdp(s), 2);
+s->cam[index][2] = dp8393x_get(s, dp8393x_cdp(s), 3);
 trace_dp8393x_load_cam(index,
s->cam[index][0] >> 8, s->cam[index][0] & 0xff,
s->cam[index][1] >> 8, s->cam[index][1] & 0xff,
@@ -294,9 +305,7 @@ static void dp8393x_do_load_cam(dp8393xState *s)
 }
 
 /* Read CAM enable */
-address_space_read(>as, dp8393x_cdp(s),
-   MEMTXATTRS_UNSPECIFIED, s->data, size);
-s->regs[SONIC_CE] = dp8393x_get(s, width, 0);
+s->regs[SONIC_CE] = dp8393x_get(s, dp8393x_cdp(s), 0);
 trace_dp8393x_load_cam_done(s->regs[SONIC_CE]);
 
 /* Done */
@@ -312,14 +321,12 @@ static void dp8393x_do_read_rra(dp8393xState *s)
 /* Read memory */
 width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
 size = sizeof(uint16_t) * 4 * width;
-address_space_read(>as, dp8393x_rrp(s),
-   MEMTXATTRS_UNSPECIFIED, s->data, size);
 
 /* Update SONIC registers */
-s->regs[SONIC_CRBA0] = dp8393x_get(s, width, 0);
-s->regs[SONIC_CRBA1] = dp8393x_get(s, width, 1);
-s->regs[SONIC_RBWC0] = dp8393x_get(s, width, 2);

Re: [PULL 00/19] MIPS patches for 2021-07-11

2021-07-11 Thread Philippe Mathieu-Daudé 
On 7/11/21 10:59 PM, Philippe Mathieu-Daudé wrote:
> The following changes since commit 9516034d05a8c71ef157a59f525e4c4f7ed79827:
> 
>   Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-6.1-2' into 
> staging (2021-07-11 14:32:49 +0100)
> 
> are available in the Git repository at:
> 
>   https://github.com/philmd/qemu.git tags/mips-next-20210711

Resending with correct tag.

[PULL 16/19] dp8393x: Replace 0x40 magic value by SONIC_REG_COUNT definition

2021-07-11 Thread Philippe Mathieu-Daudé 
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Mark Cave-Ayland 
Tested-by: Finn Thain 
Message-Id: <20210710174954.2577195-3-f4...@amsat.org>
Tested-by: Mark Cave-Ayland 
---
 hw/net/dp8393x.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 9118364aa33..d1e147a82a6 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -85,6 +85,7 @@ static const char *reg_names[] = {
 #define SONIC_MPT0x2e
 #define SONIC_MDT0x2f
 #define SONIC_DCR2   0x3f
+#define SONIC_REG_COUNT  0x40
 
 #define SONIC_CR_HTX 0x0001
 #define SONIC_CR_TXP 0x0002
@@ -158,7 +159,7 @@ struct dp8393xState {
 
 /* Registers */
 uint8_t cam[16][6];
-uint16_t regs[0x40];
+uint16_t regs[SONIC_REG_COUNT];
 
 /* Temporaries */
 uint8_t tx_buffer[0x1];
@@ -972,7 +973,7 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
 
 address_space_init(>as, s->dma_mr, "dp8393x");
 memory_region_init_io(>mmio, OBJECT(dev), _ops, s,
-  "dp8393x-regs", 0x40 << s->it_shift);
+  "dp8393x-regs", SONIC_REG_COUNT << s->it_shift);
 
 s->nic = qemu_new_nic(_dp83932_info, >conf,
   object_get_typename(OBJECT(dev)), dev->id, s);
@@ -987,7 +988,7 @@ static const VMStateDescription vmstate_dp8393x = {
 .minimum_version_id = 0,
 .fields = (VMStateField []) {
 VMSTATE_BUFFER_UNSAFE(cam, dp8393xState, 0, 16 * 6),
-VMSTATE_UINT16_ARRAY(regs, dp8393xState, 0x40),
+VMSTATE_UINT16_ARRAY(regs, dp8393xState, SONIC_REG_COUNT),
 VMSTATE_END_OF_LIST()
 }
 };
-- 
2.31.1

[PULL 14/19] dp8393x: fix CAM descriptor entry index

2021-07-11 Thread Philippe Mathieu-Daudé 
From: Mark Cave-Ayland 

Currently when a LOAD CAM command is executed the entries are loaded into the
CAM from memory in order which is incorrect. According to the datasheet the
first entry in the CAM descriptor is the entry index which means that each
descriptor may update any single entry in the CAM rather than the Nth entry.

Decode the CAM entry index and use it store the descriptor in the appropriate
slot in the CAM. This fixes the issue where the MacOS toolbox loads a single
CAM descriptor into the final slot in order to perform a loopback test which
must succeed before the Ethernet port is enabled.

Signed-off-by: Mark Cave-Ayland 
Tested-by: Finn Thain 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20210625065401.30170-10-mark.cave-ayl...@ilande.co.uk>
Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/net/dp8393x.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 252c0a26641..11810c9b600 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -270,7 +270,7 @@ static void dp8393x_update_irq(dp8393xState *s)
 static void dp8393x_do_load_cam(dp8393xState *s)
 {
 int width, size;
-uint16_t index = 0;
+uint16_t index;
 
 width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
 size = sizeof(uint16_t) * 4 * width;
@@ -279,6 +279,7 @@ static void dp8393x_do_load_cam(dp8393xState *s)
 /* Fill current entry */
 address_space_read(>as, dp8393x_cdp(s),
MEMTXATTRS_UNSPECIFIED, s->data, size);
+index = dp8393x_get(s, width, 0) & 0xf;
 s->cam[index][0] = dp8393x_get(s, width, 1) & 0xff;
 s->cam[index][1] = dp8393x_get(s, width, 1) >> 8;
 s->cam[index][2] = dp8393x_get(s, width, 2) & 0xff;
@@ -291,7 +292,6 @@ static void dp8393x_do_load_cam(dp8393xState *s)
 /* Move to next entry */
 s->regs[SONIC_CDC]--;
 s->regs[SONIC_CDP] += size;
-index++;
 }
 
 /* Read CAM enable */
-- 
2.31.1

[PULL 2/4] hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses

2021-07-11 Thread Philippe Mathieu-Daudé 
Multiple commands have to check the address requested is valid.
Extract this code pattern as a new address_in_range() helper, and
log invalid accesses as guest errors.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Bin Meng 
Message-Id: <20210624142209.1193073-3-f4...@amsat.org>
---
 hw/sd/sd.c | 32 
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index d8fdf84f4db..9c8dd11bad1 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -937,6 +937,18 @@ static void sd_lock_command(SDState *sd)
 sd->card_status &= ~CARD_IS_LOCKED;
 }
 
+static bool address_in_range(SDState *sd, const char *desc,
+ uint64_t addr, uint32_t length)
+{
+if (addr + length > sd->size) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s offset %lu > card %lu [%%%u]\n",
+  desc, addr, sd->size, length);
+sd->card_status |= ADDRESS_ERROR;
+return false;
+}
+return true;
+}
+
 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 {
 uint32_t rca = 0x;
@@ -1218,8 +1230,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
SDRequest req)
 switch (sd->state) {
 case sd_transfer_state:
 
-if (addr + sd->blk_len > sd->size) {
-sd->card_status |= ADDRESS_ERROR;
+if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
 return sd_r1;
 }
 
@@ -1264,8 +1275,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
SDRequest req)
 switch (sd->state) {
 case sd_transfer_state:
 
-if (addr + sd->blk_len > sd->size) {
-sd->card_status |= ADDRESS_ERROR;
+if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
 return sd_r1;
 }
 
@@ -1325,8 +1335,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
SDRequest req)
 
 switch (sd->state) {
 case sd_transfer_state:
-if (addr >= sd->size) {
-sd->card_status |= ADDRESS_ERROR;
+if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
 return sd_r1b;
 }
 
@@ -1348,8 +1357,7 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
SDRequest req)
 
 switch (sd->state) {
 case sd_transfer_state:
-if (addr >= sd->size) {
-sd->card_status |= ADDRESS_ERROR;
+if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
 return sd_r1b;
 }
 
@@ -1826,8 +1834,8 @@ void sd_write_byte(SDState *sd, uint8_t value)
 case 25:   /* CMD25:  WRITE_MULTIPLE_BLOCK */
 if (sd->data_offset == 0) {
 /* Start of the block - let's check the address is valid */
-if (sd->data_start + sd->blk_len > sd->size) {
-sd->card_status |= ADDRESS_ERROR;
+if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
+  sd->data_start, sd->blk_len)) {
 break;
 }
 if (sd->size <= SDSC_MAX_CAPACITY) {
@@ -1999,8 +2007,8 @@ uint8_t sd_read_byte(SDState *sd)
 
 case 18:   /* CMD18:  READ_MULTIPLE_BLOCK */
 if (sd->data_offset == 0) {
-if (sd->data_start + io_len > sd->size) {
-sd->card_status |= ADDRESS_ERROR;
+if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
+  sd->data_start, io_len)) {
 return 0x00;
 }
 BLK_READ_BLOCK(sd->data_start, io_len);
-- 
2.31.1

[PULL 15/19] dp8393x: Replace address_space_rw(is_write=1) by address_space_write()

2021-07-11 Thread Philippe Mathieu-Daudé 
Replace address_space_rw(is_write=1) by address_space_write()
and remove pointless cast.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Mark Cave-Ayland 
Tested-by: Finn Thain 
Message-Id: <20210710174954.2577195-2-f4...@amsat.org>
Tested-by: Mark Cave-Ayland 
---
 hw/net/dp8393x.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 11810c9b600..9118364aa33 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -816,8 +816,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const 
uint8_t * buf,
 size = sizeof(uint16_t) * width;
 address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
 dp8393x_put(s, width, 0, 0);
-address_space_rw(>as, address, MEMTXATTRS_UNSPECIFIED,
- (uint8_t *)s->data, size, 1);
+address_space_write(>as, address, MEMTXATTRS_UNSPECIFIED,
+s->data, size);
 
 /* Move to next descriptor */
 s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
@@ -846,8 +846,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const 
uint8_t * buf,
 /* Pad short packets to keep pointers aligned */
 if (rx_len < padded_len) {
 size = padded_len - rx_len;
-address_space_rw(>as, address, MEMTXATTRS_UNSPECIFIED,
-(uint8_t *)"\xFF\xFF\xFF", size, 1);
+address_space_write(>as, address, MEMTXATTRS_UNSPECIFIED,
+"\xFF\xFF\xFF", size);
 address += size;
 }
 
-- 
2.31.1

[PULL 11/19] target/mips/tx79: Introduce LQ opcode (Load Quadword)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the LQ opcode (Load Quadword) and remove unreachable code.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210214175912.732946-26-f4...@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/tcg/tx79.decode  |  8 
 target/mips/tcg/translate.c  | 16 ++-
 target/mips/tcg/tx79_translate.c | 35 
 3 files changed, 45 insertions(+), 14 deletions(-)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 2f65dce2431..0af5c6d0ed1 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -13,6 +13,8 @@
 
rs rt rd sa
 
+   base rt offset
+
 ###
 # Named instruction formats.  These are generally used to
 # reduce the amount of duplication between instruction patterns.
@@ -22,6 +24,8 @@
 @rs .. rs:5  . ..  ..rt=0 rd=0 sa=0
 @rd .. ..  rd:5  . ..rs=0 rt=0 sa=0
 
+@ldst.. base:5 rt:5 offset:16
+
 ###
 
 MFHI1   011100 00  . 0 01   @rd
@@ -62,3 +66,7 @@ PCPYUD  011100 . . . 01110 101001   
@rs_rt_rd
 POR 011100 . . . 10010 101001   @rs_rt_rd
 PNOR011100 . . . 10011 101001   @rs_rt_rd
 PCPYH   011100 0 . . 11011 101001   @rt_rd
+
+# SPECIAL
+
+LQ  00 . .  @ldst
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index ae33c75f088..82a7f2bcc63 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -1180,7 +1180,6 @@ enum {
 
 enum {
 MMI_OPC_CLASS_MMI = 0x1C << 26,/* Same as OPC_SPECIAL2 */
-MMI_OPC_LQ= 0x1E << 26,/* Same as OPC_MSA */
 MMI_OPC_SQ= 0x1F << 26,/* Same as OPC_SPECIAL3 */
 };
 
@@ -15179,11 +15178,6 @@ static void decode_mmi(CPUMIPSState *env, DisasContext 
*ctx)
 }
 }
 
-static void gen_mmi_lq(CPUMIPSState *env, DisasContext *ctx)
-{
-gen_reserved_instruction(ctx);/* TODO: MMI_OPC_LQ */
-}
-
 static void gen_mmi_sq(DisasContext *ctx, int base, int rt, int offset)
 {
 gen_reserved_instruction(ctx);/* TODO: MMI_OPC_SQ */
@@ -16082,14 +16076,8 @@ static bool decode_opc_legacy(CPUMIPSState *env, 
DisasContext *ctx)
 gen_compute_branch(ctx, op, 4, rs, rt, offset, 4);
 }
 break;
-case OPC_MDMX: /* MMI_OPC_LQ */
-if (ctx->insn_flags & INSN_R5900) {
-#if defined(TARGET_MIPS64)
-gen_mmi_lq(env, ctx);
-#endif
-} else {
-/* MDMX: Not implemented. */
-}
+case OPC_MDMX:
+/* MDMX: Not implemented. */
 break;
 case OPC_PCREL:
 check_insn(ctx, ISA_MIPS_R6);
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 402790249f3..d9193b4d86e 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -334,6 +334,41 @@ static bool trans_PCEQW(DisasContext *ctx, arg_rtype *a)
  * SQ  rt, offset(base)  Store Quadword
  */
 
+static bool trans_LQ(DisasContext *ctx, arg_itype *a)
+{
+TCGv_i64 t0;
+TCGv addr;
+
+if (a->rt == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new_i64();
+addr = tcg_temp_new();
+
+gen_base_offset_addr(ctx, addr, a->base, a->offset);
+/*
+ * Clear least-significant four bits of the effective
+ * address, effectively creating an aligned address.
+ */
+tcg_gen_andi_tl(addr, addr, ~0xf);
+
+/* Lower half */
+tcg_gen_qemu_ld_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+gen_store_gpr(t0, a->rt);
+
+/* Upper half */
+tcg_gen_addi_i64(addr, addr, 8);
+tcg_gen_qemu_ld_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+gen_store_gpr_hi(t0, a->rt);
+
+tcg_temp_free(t0);
+tcg_temp_free(addr);
+
+return true;
+}
+
 /*
  * Multiply and Divide (19 instructions)
  * -
-- 
2.31.1

[PULL 1/4] hw/sd/sdcard: When card is in wrong state, log which state it is

2021-07-11 Thread Philippe Mathieu-Daudé 
We report the card is in an inconsistent state, but don't precise
in which state it is. Add this information, as it is useful when
debugging problems.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Bin Meng 
Message-Id: <20210624142209.1193073-2-f4...@amsat.org>
Reviewed-by: Alexander Bulekov 
---
 hw/sd/sd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 282d39a7042..d8fdf84f4db 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1504,7 +1504,8 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, 
SDRequest req)
 return sd_illegal;
 }
 
-qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
+qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state: %s\n",
+  req.cmd, sd_state_name(sd->state));
 return sd_illegal;
 }
 
-- 
2.31.1

[PULL 12/19] target/mips/tx79: Introduce SQ opcode (Store Quadword)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the SQ opcode (Store Quadword).

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210214175912.732946-27-f4...@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/tcg/tx79.decode  |  1 +
 target/mips/tcg/tx79_translate.c | 27 +++
 2 files changed, 28 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 0af5c6d0ed1..03a25a5096d 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -70,3 +70,4 @@ PCPYH   011100 0 . . 11011 101001   @rt_rd
 # SPECIAL
 
 LQ  00 . .  @ldst
+SQ  01 . .  @ldst
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index d9193b4d86e..395d6afa1f1 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -369,6 +369,33 @@ static bool trans_LQ(DisasContext *ctx, arg_itype *a)
 return true;
 }
 
+static bool trans_SQ(DisasContext *ctx, arg_itype *a)
+{
+TCGv_i64 t0 = tcg_temp_new_i64();
+TCGv addr = tcg_temp_new();
+
+gen_base_offset_addr(ctx, addr, a->base, a->offset);
+/*
+ * Clear least-significant four bits of the effective
+ * address, effectively creating an aligned address.
+ */
+tcg_gen_andi_tl(addr, addr, ~0xf);
+
+/* Lower half */
+gen_load_gpr(t0, a->rt);
+tcg_gen_qemu_st_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+
+/* Upper half */
+tcg_gen_addi_i64(addr, addr, 8);
+gen_load_gpr_hi(t0, a->rt);
+tcg_gen_qemu_st_i64(t0, addr, ctx->mem_idx, MO_TEQ);
+
+tcg_temp_free(addr);
+tcg_temp_free(t0);
+
+return true;
+}
+
 /*
  * Multiply and Divide (19 instructions)
  * -
-- 
2.31.1

[PULL 05/19] target/mips/tx79: Introduce PEXTUW (Parallel Extend Upper from Word)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the PEXTUW opcode (Parallel Extend Upper from Word).

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210309145653.743937-12-f4...@amsat.org>
---
 target/mips/tcg/tx79.decode  |  4 
 target/mips/tcg/tx79_translate.c | 30 ++
 2 files changed, 34 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index d1c07c7d901..ead5f8281e5 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -35,6 +35,10 @@ PSUBW   011100 . . . 1 001000   
@rs_rt_rd
 PSUBH   011100 . . . 00101 001000   @rs_rt_rd
 PSUBB   011100 . . . 01001 001000   @rs_rt_rd
 
+# MMI1
+
+PEXTUW  011100 . . . 10010 101000   @rs_rt_rd
+
 # MMI2
 
 PCPYLD  011100 . . . 01110 001001   @rs_rt_rd
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 3abd1d92e70..68c56affc4c 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -290,6 +290,36 @@ static bool trans_PNOR(DisasContext *ctx, arg_rtype *a)
  * PEXTLW  rd, rs, rtParallel Extend Lower from Word
  */
 
+static void gen_pextw(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 a, TCGv_i64 b)
+{
+tcg_gen_deposit_i64(dl, b, a, 32, 32);
+tcg_gen_shri_i64(b, b, 32);
+tcg_gen_deposit_i64(dh, a, b, 0, 32);
+}
+
+/* Parallel Extend Upper from Word */
+static bool trans_PEXTUW(DisasContext *ctx, arg_rtype *a)
+{
+TCGv_i64 ax, bx;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+ax = tcg_temp_new_i64();
+bx = tcg_temp_new_i64();
+
+gen_load_gpr_hi(ax, a->rs);
+gen_load_gpr_hi(bx, a->rt);
+gen_pextw(cpu_gpr[a->rd], cpu_gpr_hi[a->rd], ax, bx);
+
+tcg_temp_free(bx);
+tcg_temp_free(ax);
+
+return true;
+}
+
 /*
  * Others (16 instructions)
  * 
-- 
2.31.1

[PULL 0/4] SD/MMC patches for 2021-07-11

2021-07-11 Thread Philippe Mathieu-Daudé 
The following changes since commit 9516034d05a8c71ef157a59f525e4c4f7ed79827:

  Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-6.1-2' into 
staging (2021-07-11 14:32:49 +0100)

are available in the Git repository at:

  https://github.com/philmd/qemu.git tags/sdmmc-20210711

for you to fetch changes up to a36cbb79763630837e7a73ae0d67aca210ebc791:

  hw/sd: sdhci: Enable 64-bit system bus capability in the default SD/MMC host 
controller (2021-07-11 23:02:51 +0200)


SD/MMC patches queue

- sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)
- sdhci: Enable 64-bit system bus capability in default host controller



Joanne Koong (1):
  hw/sd: sdhci: Enable 64-bit system bus capability in the default
SD/MMC host controller

Philippe Mathieu-Daudé (3):
  hw/sd/sdcard: When card is in wrong state, log which state it is
  hw/sd/sdcard: Extract address_in_range() helper, log invalid accesses
  hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)

 hw/sd/sdhci-internal.h |  4 +--
 hw/sd/sd.c | 40 ++---
 tests/qtest/fuzz-sdcard-test.c | 66 ++
 MAINTAINERS|  3 +-
 tests/qtest/meson.build|  1 +
 5 files changed, 98 insertions(+), 16 deletions(-)
 create mode 100644 tests/qtest/fuzz-sdcard-test.c

-- 
2.31.1

[PULL 08/19] target/mips/tx79: Introduce PCGT* (Parallel Compare for Greater Than)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the 'Parallel Compare for Greater Than' opcodes:

 - PCGTB (Parallel Compare for Greater Than Byte)
 - PCGTH (Parallel Compare for Greater Than Halfword)
 - PCGTW (Parallel Compare for Greater Than Word)

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210309145653.743937-15-f4...@amsat.org>
---
 target/mips/tcg/tx79.decode  |  3 +++
 target/mips/tcg/tx79_translate.c | 18 ++
 2 files changed, 21 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index cfe721755ca..63fbe9694bb 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -32,8 +32,11 @@ MTLO1   011100 .  00 0 010011   @rs
 # MMI0
 
 PSUBW   011100 . . . 1 001000   @rs_rt_rd
+PCGTW   011100 . . . 00010 001000   @rs_rt_rd
 PSUBH   011100 . . . 00101 001000   @rs_rt_rd
+PCGTH   011100 . . . 00110 001000   @rs_rt_rd
 PSUBB   011100 . . . 01001 001000   @rs_rt_rd
+PCGTB   011100 . . . 01010 001000   @rs_rt_rd
 PEXTLW  011100 . . . 10010 001000   @rs_rt_rd
 PEXTLH  011100 . . . 10110 001000   @rs_rt_rd
 PEXTLB  011100 . . . 11010 001000   @rs_rt_rd
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 8dd510c2719..f0e3d8c0b66 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -285,18 +285,36 @@ static bool trans_parallel_compare(DisasContext *ctx, 
arg_rtype *a,
 return true;
 }
 
+/* Parallel Compare for Greater Than Byte */
+static bool trans_PCGTB(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_compare(ctx, a, TCG_COND_GE, 8);
+}
+
 /* Parallel Compare for Equal Byte */
 static bool trans_PCEQB(DisasContext *ctx, arg_rtype *a)
 {
 return trans_parallel_compare(ctx, a, TCG_COND_EQ, 8);
 }
 
+/* Parallel Compare for Greater Than Halfword */
+static bool trans_PCGTH(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_compare(ctx, a, TCG_COND_GE, 16);
+}
+
 /* Parallel Compare for Equal Halfword */
 static bool trans_PCEQH(DisasContext *ctx, arg_rtype *a)
 {
 return trans_parallel_compare(ctx, a, TCG_COND_EQ, 16);
 }
 
+/* Parallel Compare for Greater Than Word */
+static bool trans_PCGTW(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_compare(ctx, a, TCG_COND_GE, 32);
+}
+
 /* Parallel Compare for Equal Word */
 static bool trans_PCEQW(DisasContext *ctx, arg_rtype *a)
 {
-- 
2.31.1

[PULL 04/19] target/mips/tx79: Introduce PSUB* opcodes (Parallel Subtract)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the 'Parallel Subtract' opcodes:

 - PSUBB (Parallel Subtract Byte)
 - PSUBH (Parallel Subtract Halfword)
 - PSUBW (Parallel Subtract Word)

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <820210309145653.743937-11-f4...@amsat.org>
---
 target/mips/tcg/tx79.decode  |  6 ++
 target/mips/tcg/tx79_translate.c | 19 +++
 2 files changed, 25 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 26c80b9bce5..d1c07c7d901 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -29,6 +29,12 @@ MTHI1   011100 .  00 0 010001   @rs
 MFLO1   011100 00  . 0 010010   @rd
 MTLO1   011100 .  00 0 010011   @rs
 
+# MMI0
+
+PSUBW   011100 . . . 1 001000   @rs_rt_rd
+PSUBH   011100 . . . 00101 001000   @rs_rt_rd
+PSUBB   011100 . . . 01001 001000   @rs_rt_rd
+
 # MMI2
 
 PCPYLD  011100 . . . 01110 001001   @rs_rt_rd
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 00364f10d47..3abd1d92e70 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -9,6 +9,7 @@
 
 #include "qemu/osdep.h"
 #include "tcg/tcg-op.h"
+#include "tcg/tcg-op-gvec.h"
 #include "exec/helper-gen.h"
 #include "translate.h"
 
@@ -144,6 +145,24 @@ static bool trans_parallel_arith(DisasContext *ctx, 
arg_rtype *a,
 return true;
 }
 
+/* Parallel Subtract Byte */
+static bool trans_PSUBB(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_vec_sub8_i64);
+}
+
+/* Parallel Subtract Halfword */
+static bool trans_PSUBH(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_vec_sub16_i64);
+}
+
+/* Parallel Subtract Word */
+static bool trans_PSUBW(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_vec_sub32_i64);
+}
+
 /*
  * Min/Max (4 instructions)
  * 
-- 
2.31.1

[PULL 17/19] dp8393x: Store CAM registers as 16-bit

2021-07-11 Thread Philippe Mathieu-Daudé 
Per the DP83932C datasheet from July 1995:

  4.0 SONIC Registers
  4.1 THE CAM UNIT

The Content Addressable Memory (CAM) consists of sixteen
48-bit entries for complete address filtering of network
packets. Each entry corresponds to a 48-bit destination
address that is user programmable and can contain any
combination of Multicast or Physical addresses. Each entry
is partitioned into three 16-bit CAM cells accessible
through CAM Address Ports (CAP 2, CAP 1 and CAP 0) with
CAP0 corresponding to the least significant 16 bits of
the Destination Address and CAP2 corresponding to the
most significant bits.

Store the CAM registers as 16-bit as it simplifies the code.

Having now the CAM registers as arrays of 3 uint16_t, we can avoid
using the VMSTATE_BUFFER_UNSAFE macro by using VMSTATE_UINT16_2DARRAY
which is more appropriate. This breaks the migration stream however.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Mark Cave-Ayland 
Tested-by: Finn Thain 
Message-Id: <20210710174954.2577195-5-f4...@amsat.org>
Tested-by: Mark Cave-Ayland 
---
 hw/net/dp8393x.c | 27 ---
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index d1e147a82a6..283de9db0bf 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -158,7 +158,7 @@ struct dp8393xState {
 MemoryRegion mmio;
 
 /* Registers */
-uint8_t cam[16][6];
+uint16_t cam[16][3];
 uint16_t regs[SONIC_REG_COUNT];
 
 /* Temporaries */
@@ -281,15 +281,13 @@ static void dp8393x_do_load_cam(dp8393xState *s)
 address_space_read(>as, dp8393x_cdp(s),
MEMTXATTRS_UNSPECIFIED, s->data, size);
 index = dp8393x_get(s, width, 0) & 0xf;
-s->cam[index][0] = dp8393x_get(s, width, 1) & 0xff;
-s->cam[index][1] = dp8393x_get(s, width, 1) >> 8;
-s->cam[index][2] = dp8393x_get(s, width, 2) & 0xff;
-s->cam[index][3] = dp8393x_get(s, width, 2) >> 8;
-s->cam[index][4] = dp8393x_get(s, width, 3) & 0xff;
-s->cam[index][5] = dp8393x_get(s, width, 3) >> 8;
-trace_dp8393x_load_cam(index, s->cam[index][0], s->cam[index][1],
-   s->cam[index][2], s->cam[index][3],
-   s->cam[index][4], s->cam[index][5]);
+s->cam[index][0] = dp8393x_get(s, width, 1);
+s->cam[index][1] = dp8393x_get(s, width, 2);
+s->cam[index][2] = dp8393x_get(s, width, 3);
+trace_dp8393x_load_cam(index,
+   s->cam[index][0] >> 8, s->cam[index][0] & 0xff,
+   s->cam[index][1] >> 8, s->cam[index][1] & 0xff,
+   s->cam[index][2] >> 8, s->cam[index][2] & 0xff);
 /* Move to next entry */
 s->regs[SONIC_CDC]--;
 s->regs[SONIC_CDP] += size;
@@ -592,8 +590,7 @@ static uint64_t dp8393x_read(void *opaque, hwaddr addr, 
unsigned int size)
 case SONIC_CAP1:
 case SONIC_CAP0:
 if (s->regs[SONIC_CR] & SONIC_CR_RST) {
-val = s->cam[s->regs[SONIC_CEP] & 0xf][2 * (SONIC_CAP0 - reg) + 1] 
<< 8;
-val |= s->cam[s->regs[SONIC_CEP] & 0xf][2 * (SONIC_CAP0 - reg)];
+val = s->cam[s->regs[SONIC_CEP] & 0xf][SONIC_CAP0 - reg];
 }
 break;
 /* All other registers have no special contraints */
@@ -984,10 +981,10 @@ static void dp8393x_realize(DeviceState *dev, Error 
**errp)
 
 static const VMStateDescription vmstate_dp8393x = {
 .name = "dp8393x",
-.version_id = 0,
-.minimum_version_id = 0,
+.version_id = 1,
+.minimum_version_id = 1,
 .fields = (VMStateField []) {
-VMSTATE_BUFFER_UNSAFE(cam, dp8393xState, 0, 16 * 6),
+VMSTATE_UINT16_2DARRAY(cam, dp8393xState, 16, 3),
 VMSTATE_UINT16_ARRAY(regs, dp8393xState, SONIC_REG_COUNT),
 VMSTATE_END_OF_LIST()
 }
-- 
2.31.1

[PULL 19/19] dp8393x: don't force 32-bit register access

2021-07-11 Thread Philippe Mathieu-Daudé 
From: Mark Cave-Ayland 

Commit 3fe9a838ec "dp8393x: Always use 32-bit accesses" set 
.impl.min_access_size
and .impl.max_access_size to 4 to try and fix the Linux jazzsonic driver which 
uses
32-bit accesses.

The problem with forcing the register access to 32-bit in this way is that 
since the
dp8393x uses 16-bit registers, a manual endian swap is required for devices on 
big
endian machines with 32-bit accesses.

For both access sizes and machine endians the QEMU memory API can do the right 
thing
automatically: all that is needed is to set .impl.min_access_size to 2 to 
declare that
the dp8393x implements 16-bit registers.

Normally .impl.max_access_size should also be set to 2, however that doesn't 
quite
work in this case since the register stride is specified using a (dynamic) 
it_shift
property which is applied during the MMIO access itself. The effect of this is 
that
for a 32-bit access the memory API performs 2 x 16-bit accesses, but the use of
it_shift within the MMIO access itself causes the register value to be repeated 
in both
the top 16-bits and bottom 16-bits. The Linux jazzsonic driver expects the 
stride to be
zero-extended up to access size and therefore fails to correctly detect the 
dp8393x
device due to the extra data in the top 16-bits.

The solution here is to remove .impl.max_access_size so that the memory API will
correctly zero-extend the 16-bit registers to the access size up to and 
including
it_shift. Since it_shift is never greater than 2 than this will always do the 
right
thing for both 16-bit and 32-bit accesses regardless of the machine endian, 
allowing
the manual endian swap code to be removed.

Signed-off-by: Mark Cave-Ayland 
Fixes: 3fe9a838ec ("dp8393x: Always use 32-bit accesses")
Message-Id: <20210705214929.17222-2-mark.cave-ayl...@ilande.co.uk>
Signed-off-by: Philippe Mathieu-Daudé 
Tested-by: Finn Thain 
Tested-by: Mark Cave-Ayland 
---
 hw/net/dp8393x.c | 14 +-
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 4057a263de3..45b954e46c2 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -588,15 +588,14 @@ static uint64_t dp8393x_read(void *opaque, hwaddr addr, 
unsigned int size)
 
 trace_dp8393x_read(reg, reg_names[reg], val, size);
 
-return s->big_endian ? val << 16 : val;
+return val;
 }
 
-static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
+static void dp8393x_write(void *opaque, hwaddr addr, uint64_t val,
   unsigned int size)
 {
 dp8393xState *s = opaque;
 int reg = addr >> s->it_shift;
-uint32_t val = s->big_endian ? data >> 16 : data;
 
 trace_dp8393x_write(reg, reg_names[reg], val, size);
 
@@ -677,11 +676,16 @@ static void dp8393x_write(void *opaque, hwaddr addr, 
uint64_t data,
 }
 }
 
+/*
+ * Since .impl.max_access_size is effectively controlled by the it_shift
+ * property, leave it unspecified for now to allow the memory API to
+ * correctly zero extend the 16-bit register values to the access size up to 
and
+ * including it_shift.
+ */
 static const MemoryRegionOps dp8393x_ops = {
 .read = dp8393x_read,
 .write = dp8393x_write,
-.impl.min_access_size = 4,
-.impl.max_access_size = 4,
+.impl.min_access_size = 2,
 .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.31.1

[PULL 07/19] target/mips/tx79: Introduce PCEQ* opcodes (Parallel Compare for Equal)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the 'Parallel Compare for Equal' opcodes:

 - PCEQB (Parallel Compare for Equal Byte)
 - PCEQH (Parallel Compare for Equal Halfword)
 - PCEQW (Parallel Compare for Equal Word)

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210309145653.743937-14-f4...@amsat.org>
---
 target/mips/tcg/tx79.decode  |  3 ++
 target/mips/tcg/tx79_translate.c | 66 
 2 files changed, 69 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 98f21d33e3f..cfe721755ca 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -40,6 +40,9 @@ PEXTLB  011100 . . . 11010 001000   
@rs_rt_rd
 
 # MMI1
 
+PCEQW   011100 . . . 00010 101000   @rs_rt_rd
+PCEQH   011100 . . . 00110 101000   @rs_rt_rd
+PCEQB   011100 . . . 01010 101000   @rs_rt_rd
 PEXTUW  011100 . . . 10010 101000   @rs_rt_rd
 
 # MMI2
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index c4656a4c21d..8dd510c2719 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -237,6 +237,72 @@ static bool trans_PNOR(DisasContext *ctx, arg_rtype *a)
  * PCEQW   rd, rs, rtParallel Compare for Equal Word
  */
 
+static bool trans_parallel_compare(DisasContext *ctx, arg_rtype *a,
+   TCGCond cond, unsigned wlen)
+{
+TCGv_i64 c0, c1, ax, bx, t0, t1, t2;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+c0 = tcg_const_tl(0);
+c1 = tcg_const_tl(0x);
+ax = tcg_temp_new_i64();
+bx = tcg_temp_new_i64();
+t0 = tcg_temp_new_i64();
+t1 = tcg_temp_new_i64();
+t2 = tcg_temp_new_i64();
+
+/* Lower half */
+gen_load_gpr(ax, a->rs);
+gen_load_gpr(bx, a->rt);
+for (int i = 0; i < (64 / wlen); i++) {
+tcg_gen_sextract_i64(t0, ax, wlen * i, wlen);
+tcg_gen_sextract_i64(t1, bx, wlen * i, wlen);
+tcg_gen_movcond_i64(cond, t2, t1, t0, c1, c0);
+tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t2, wlen * i, 
wlen);
+}
+/* Upper half */
+gen_load_gpr_hi(ax, a->rs);
+gen_load_gpr_hi(bx, a->rt);
+for (int i = 0; i < (64 / wlen); i++) {
+tcg_gen_sextract_i64(t0, ax, wlen * i, wlen);
+tcg_gen_sextract_i64(t1, bx, wlen * i, wlen);
+tcg_gen_movcond_i64(cond, t2, t1, t0, c1, c0);
+tcg_gen_deposit_i64(cpu_gpr_hi[a->rd], cpu_gpr_hi[a->rd], t2, wlen * 
i, wlen);
+}
+
+tcg_temp_free(t2);
+tcg_temp_free(t1);
+tcg_temp_free(t0);
+tcg_temp_free(bx);
+tcg_temp_free(ax);
+tcg_temp_free(c1);
+tcg_temp_free(c0);
+
+return true;
+}
+
+/* Parallel Compare for Equal Byte */
+static bool trans_PCEQB(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_compare(ctx, a, TCG_COND_EQ, 8);
+}
+
+/* Parallel Compare for Equal Halfword */
+static bool trans_PCEQH(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_compare(ctx, a, TCG_COND_EQ, 16);
+}
+
+/* Parallel Compare for Equal Word */
+static bool trans_PCEQW(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_compare(ctx, a, TCG_COND_EQ, 32);
+}
+
 /*
  * LZC (1 instruction)
  * ---
-- 
2.31.1

[PULL 03/19] target/mips/tx79: Introduce PAND/POR/PXOR/PNOR opcodes (parallel logic)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the parallel logic opcodes:

 - PAND (Parallel AND)
 - POR  (Parallel OR)
 - PXOR (Parallel XOR)
 - PNOR (Parallel NOR)

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210214175912.732946-16-f4...@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/tcg/tx79.decode  |  4 +++
 target/mips/tcg/tx79_translate.c | 54 
 2 files changed, 58 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 0f748b53a64..26c80b9bce5 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -32,8 +32,12 @@ MTLO1   011100 .  00 0 010011   @rs
 # MMI2
 
 PCPYLD  011100 . . . 01110 001001   @rs_rt_rd
+PAND011100 . . . 10010 001001   @rs_rt_rd
+PXOR011100 . . . 10011 001001   @rs_rt_rd
 
 # MMI3
 
 PCPYUD  011100 . . . 01110 101001   @rs_rt_rd
+POR 011100 . . . 10010 101001   @rs_rt_rd
+PNOR011100 . . . 10011 101001   @rs_rt_rd
 PCPYH   011100 0 . . 11011 101001   @rt_rd
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index ad83774b977..00364f10d47 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -2,6 +2,7 @@
  * Toshiba TX79-specific instructions translation routines
  *
  *  Copyright (c) 2018 Fredrik Noring
+ *  Copyright (c) 2021 Philippe Mathieu-Daudé
  *
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
@@ -114,6 +115,35 @@ static bool trans_MTLO1(DisasContext *ctx, arg_rtype *a)
  * PSUBUW  rd, rs, rtParallel Subtract with Unsigned saturation Word
  */
 
+static bool trans_parallel_arith(DisasContext *ctx, arg_rtype *a,
+ void (*gen_logic_i64)(TCGv_i64, TCGv_i64, 
TCGv_i64))
+{
+TCGv_i64 ax, bx;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+ax = tcg_temp_new_i64();
+bx = tcg_temp_new_i64();
+
+/* Lower half */
+gen_load_gpr(ax, a->rs);
+gen_load_gpr(bx, a->rt);
+gen_logic_i64(cpu_gpr[a->rd], ax, bx);
+
+/* Upper half */
+gen_load_gpr_hi(ax, a->rs);
+gen_load_gpr_hi(bx, a->rt);
+gen_logic_i64(cpu_gpr_hi[a->rd], ax, bx);
+
+tcg_temp_free(bx);
+tcg_temp_free(ax);
+
+return true;
+}
+
 /*
  * Min/Max (4 instructions)
  * 
@@ -139,6 +169,30 @@ static bool trans_MTLO1(DisasContext *ctx, arg_rtype *a)
  * PNORrd, rs, rtParallel NOR
  */
 
+/* Parallel And */
+static bool trans_PAND(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_and_i64);
+}
+
+/* Parallel Or */
+static bool trans_POR(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_or_i64);
+}
+
+/* Parallel Exclusive Or */
+static bool trans_PXOR(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_xor_i64);
+}
+
+/* Parallel Not Or */
+static bool trans_PNOR(DisasContext *ctx, arg_rtype *a)
+{
+return trans_parallel_arith(ctx, a, tcg_gen_nor_i64);
+}
+
 /*
  * Shift (9 instructions)
  * --
-- 
2.31.1

[PULL 13/19] target/mips: Rewrite UHI errno_mips() using switch statement

2021-07-11 Thread Philippe Mathieu-Daudé 
Linking on Haiku OS fails:

  
/boot/system/develop/tools/bin/../lib/gcc/x86_64-unknown-haiku/8.3.0/../../../../x86_64-unknown-haiku/bin/ld:
  error: 
libqemu-mips-softmmu.fa.p/target_mips_tcg_sysemu_mips-semi.c.o(.rodata) is too 
large (0x405a bytes)
  
/boot/system/develop/tools/bin/../lib/gcc/x86_64-unknown-haiku/8.3.0/../../../../x86_64-unknown-haiku/bin/ld:
  final link failed: memory exhausted
  collect2: error: ld returned 1 exit status

This is because the host_to_mips_errno[] uses errno as index,
for example:

  static const uint16_t host_to_mips_errno[] = {
  [ENAMETOOLONG] = 91,
  ...

and Haiku defines [*] ENAMETOOLONG as:

   12 /* Error baselines */
   13 #define B_GENERAL_ERROR_BASE  INT_MIN
   ..
   22 #define B_STORAGE_ERROR_BASE  (B_GENERAL_ERROR_BASE + 0x6000)
  ...
  106 #define B_NAME_TOO_LONG   (B_STORAGE_ERROR_BASE + 4)
  ...
  211 #define ENAMETOOLONG  
B_TO_POSIX_ERROR(B_NAME_TOO_LONG)

so the array ends up beeing indeed too big.

Since POSIX errno can't be use as indexes on Haiku,
rewrite errno_mips() using a switch statement.

[*] https://github.com/haiku/haiku/blob/r1beta3/headers/os/support/Errors.h#L130

Reported-by: Richard Zak 
Suggested-by: Thomas Huth 
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Thomas Huth 
Message-Id: <20210706130723.1178961-1-f4...@amsat.org>
---
 target/mips/tcg/sysemu/mips-semi.c | 24 +---
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/target/mips/tcg/sysemu/mips-semi.c 
b/target/mips/tcg/sysemu/mips-semi.c
index 77108b0b1a9..b4a383ae90c 100644
--- a/target/mips/tcg/sysemu/mips-semi.c
+++ b/target/mips/tcg/sysemu/mips-semi.c
@@ -74,25 +74,19 @@ enum UHIOpenFlags {
 UHIOpen_EXCL   = 0x800
 };
 
-/* Errno values taken from asm-mips/errno.h */
-static const uint16_t host_to_mips_errno[] = {
-[ENAMETOOLONG] = 78,
+static int errno_mips(int host_errno)
+{
+/* Errno values taken from asm-mips/errno.h */
+switch (host_errno) {
+case 0: return 0;
+case ENAMETOOLONG:  return 78;
 #ifdef EOVERFLOW
-[EOVERFLOW]= 79,
+case EOVERFLOW: return 79;
 #endif
 #ifdef ELOOP
-[ELOOP]= 90,
+case ELOOP: return 90;
 #endif
-};
-
-static int errno_mips(int err)
-{
-if (err < 0 || err >= ARRAY_SIZE(host_to_mips_errno)) {
-return EINVAL;
-} else if (host_to_mips_errno[err]) {
-return host_to_mips_errno[err];
-} else {
-return err;
+default:return EINVAL;
 }
 }
 
-- 
2.31.1

[PULL 10/19] target/mips/tx79: Introduce PROT3W opcode (Parallel Rotate 3 Words)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the PROT3W opcode (Parallel Rotate 3 Words).

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210214175912.732946-25-f4...@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/tcg/tx79.decode  |  1 +
 target/mips/tcg/tx79_translate.c | 28 
 2 files changed, 29 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 653910371d2..2f65dce2431 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -54,6 +54,7 @@ PEXTUW  011100 . . . 10010 101000   
@rs_rt_rd
 PCPYLD  011100 . . . 01110 001001   @rs_rt_rd
 PAND011100 . . . 10010 001001   @rs_rt_rd
 PXOR011100 . . . 10011 001001   @rs_rt_rd
+PROT3W  011100 0 . . 1 001001   @rt_rd
 
 # MMI3
 
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 90c33d26a9f..402790249f3 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -593,3 +593,31 @@ static bool trans_PCPYUD(DisasContext *s, arg_rtype *a)
 
 return true;
 }
+
+/* Parallel Rotate 3 Words Left */
+static bool trans_PROT3W(DisasContext *ctx, arg_rtype *a)
+{
+TCGv_i64 ax;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+if (a->rt == 0) {
+tcg_gen_movi_i64(cpu_gpr[a->rd], 0);
+tcg_gen_movi_i64(cpu_gpr_hi[a->rd], 0);
+return true;
+}
+
+ax = tcg_temp_new_i64();
+
+tcg_gen_mov_i64(ax, cpu_gpr_hi[a->rt]);
+tcg_gen_deposit_i64(cpu_gpr_hi[a->rd], ax, cpu_gpr[a->rt], 0, 32);
+
+tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rt], ax, 0, 32);
+tcg_gen_rotri_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], 32);
+
+tcg_temp_free(ax);
+
+return true;
+}
-- 
2.31.1

[PULL 06/19] target/mips/tx79: Introduce PEXTL[BHW] opcodes (Parallel Extend Lower)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the 'Parallel Extend Lower' opcodes:

 - PEXTLB (Parallel Extend Upper from Byte)
 - PEXTLH (Parallel Extend Upper from Halfword)
 - PEXTLW (Parallel Extend Upper from Word)

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210309145653.743937-13-f4...@amsat.org>
---
 target/mips/tcg/tx79.decode  |  3 ++
 target/mips/tcg/tx79_translate.c | 75 
 2 files changed, 78 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index ead5f8281e5..98f21d33e3f 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -34,6 +34,9 @@ MTLO1   011100 .  00 0 010011   @rs
 PSUBW   011100 . . . 1 001000   @rs_rt_rd
 PSUBH   011100 . . . 00101 001000   @rs_rt_rd
 PSUBB   011100 . . . 01001 001000   @rs_rt_rd
+PEXTLW  011100 . . . 10010 001000   @rs_rt_rd
+PEXTLH  011100 . . . 10110 001000   @rs_rt_rd
+PEXTLB  011100 . . . 11010 001000   @rs_rt_rd
 
 # MMI1
 
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index 68c56affc4c..c4656a4c21d 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -297,6 +297,81 @@ static void gen_pextw(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 
a, TCGv_i64 b)
 tcg_gen_deposit_i64(dh, a, b, 0, 32);
 }
 
+static bool trans_PEXTLx(DisasContext *ctx, arg_rtype *a, unsigned wlen)
+{
+TCGv_i64 ax, bx;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+ax = tcg_temp_new_i64();
+bx = tcg_temp_new_i64();
+
+gen_load_gpr(ax, a->rs);
+gen_load_gpr(bx, a->rt);
+
+/* Lower half */
+for (int i = 0; i < 64 / (2 * wlen); i++) {
+tcg_gen_deposit_i64(cpu_gpr[a->rd],
+cpu_gpr[a->rd], bx, 2 * wlen * i, wlen);
+tcg_gen_deposit_i64(cpu_gpr[a->rd],
+cpu_gpr[a->rd], ax, 2 * wlen * i + wlen, wlen);
+tcg_gen_shri_i64(bx, bx, wlen);
+tcg_gen_shri_i64(ax, ax, wlen);
+}
+/* Upper half */
+for (int i = 0; i < 64 / (2 * wlen); i++) {
+tcg_gen_deposit_i64(cpu_gpr_hi[a->rd],
+cpu_gpr_hi[a->rd], bx, 2 * wlen * i, wlen);
+tcg_gen_deposit_i64(cpu_gpr_hi[a->rd],
+cpu_gpr_hi[a->rd], ax, 2 * wlen * i + wlen, wlen);
+tcg_gen_shri_i64(bx, bx, wlen);
+tcg_gen_shri_i64(ax, ax, wlen);
+}
+
+tcg_temp_free(bx);
+tcg_temp_free(ax);
+
+return true;
+}
+
+/* Parallel Extend Lower from Byte */
+static bool trans_PEXTLB(DisasContext *ctx, arg_rtype *a)
+{
+return trans_PEXTLx(ctx, a, 8);
+}
+
+/* Parallel Extend Lower from Halfword */
+static bool trans_PEXTLH(DisasContext *ctx, arg_rtype *a)
+{
+return trans_PEXTLx(ctx, a, 16);
+}
+
+/* Parallel Extend Lower from Word */
+static bool trans_PEXTLW(DisasContext *ctx, arg_rtype *a)
+{
+TCGv_i64 ax, bx;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+ax = tcg_temp_new_i64();
+bx = tcg_temp_new_i64();
+
+gen_load_gpr(ax, a->rs);
+gen_load_gpr(bx, a->rt);
+gen_pextw(cpu_gpr[a->rd], cpu_gpr_hi[a->rd], ax, bx);
+
+tcg_temp_free(bx);
+tcg_temp_free(ax);
+
+return true;
+}
+
 /* Parallel Extend Upper from Word */
 static bool trans_PEXTUW(DisasContext *ctx, arg_rtype *a)
 {
-- 
2.31.1

[PULL 09/19] target/mips/tx79: Introduce PPACW opcode (Parallel Pack to Word)

2021-07-11 Thread Philippe Mathieu-Daudé 
Introduce the PPACW opcode (Parallel Pack to Word).

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Richard Henderson 
Message-Id: <20210214175912.732946-22-f4...@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/tcg/tx79.decode  |  1 +
 target/mips/tcg/tx79_translate.c | 30 ++
 2 files changed, 31 insertions(+)

diff --git a/target/mips/tcg/tx79.decode b/target/mips/tcg/tx79.decode
index 63fbe9694bb..653910371d2 100644
--- a/target/mips/tcg/tx79.decode
+++ b/target/mips/tcg/tx79.decode
@@ -38,6 +38,7 @@ PCGTH   011100 . . . 00110 001000   
@rs_rt_rd
 PSUBB   011100 . . . 01001 001000   @rs_rt_rd
 PCGTB   011100 . . . 01010 001000   @rs_rt_rd
 PEXTLW  011100 . . . 10010 001000   @rs_rt_rd
+PPACW   011100 . . . 10011 001000   @rs_rt_rd
 PEXTLH  011100 . . . 10110 001000   @rs_rt_rd
 PEXTLB  011100 . . . 11010 001000   @rs_rt_rd
 
diff --git a/target/mips/tcg/tx79_translate.c b/target/mips/tcg/tx79_translate.c
index f0e3d8c0b66..90c33d26a9f 100644
--- a/target/mips/tcg/tx79_translate.c
+++ b/target/mips/tcg/tx79_translate.c
@@ -374,6 +374,36 @@ static bool trans_PCEQW(DisasContext *ctx, arg_rtype *a)
  * PEXTLW  rd, rs, rtParallel Extend Lower from Word
  */
 
+/* Parallel Pack to Word */
+static bool trans_PPACW(DisasContext *ctx, arg_rtype *a)
+{
+TCGv_i64 a0, b0, t0;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+a0 = tcg_temp_new_i64();
+b0 = tcg_temp_new_i64();
+t0 = tcg_temp_new_i64();
+
+gen_load_gpr(a0, a->rs);
+gen_load_gpr(b0, a->rt);
+
+gen_load_gpr_hi(t0, a->rt); /* b1 */
+tcg_gen_deposit_i64(cpu_gpr[a->rd], b0, t0, 32, 32);
+
+gen_load_gpr_hi(t0, a->rs); /* a1 */
+tcg_gen_deposit_i64(cpu_gpr_hi[a->rd], a0, t0, 32, 32);
+
+tcg_temp_free(t0);
+tcg_temp_free(b0);
+tcg_temp_free(a0);
+
+return true;
+}
+
 static void gen_pextw(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 a, TCGv_i64 b)
 {
 tcg_gen_deposit_i64(dl, b, a, 32, 32);
-- 
2.31.1

[PULL 02/19] hw/pci-host/raven: Add PCI_IO_BASE_ADDR definition

2021-07-11 Thread Philippe Mathieu-Daudé 
Rather than using the magic 0x8000 number for the PCI I/O BAR
physical address on the main system bus, use a definition.

Signed-off-by: Philippe Mathieu-Daudé 
Acked-by: David Gibson 
Message-Id: <20210417103028.601124-6-f4...@amsat.org>
---
 hw/pci-host/raven.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index 9fef74fc56c..3be27f0a14d 100644
--- a/hw/pci-host/raven.c
+++ b/hw/pci-host/raven.c
@@ -81,6 +81,8 @@ struct PRePPCIState {
 
 #define BIOS_SIZE (1 * MiB)
 
+#define PCI_IO_BASE_ADDR0x8000  /* Physical address on main bus */
+
 static inline uint32_t raven_pci_io_config(hwaddr addr)
 {
 int i;
@@ -158,7 +160,7 @@ static uint64_t raven_io_read(void *opaque, hwaddr addr,
 uint8_t buf[4];
 
 addr = raven_io_address(s, addr);
-address_space_read(>pci_io_as, addr + 0x8000,
+address_space_read(>pci_io_as, addr + PCI_IO_BASE_ADDR,
MEMTXATTRS_UNSPECIFIED, buf, size);
 
 if (size == 1) {
@@ -190,7 +192,7 @@ static void raven_io_write(void *opaque, hwaddr addr,
 g_assert_not_reached();
 }
 
-address_space_write(>pci_io_as, addr + 0x8000,
+address_space_write(>pci_io_as, addr + PCI_IO_BASE_ADDR,
 MEMTXATTRS_UNSPECIFIED, buf, size);
 }
 
@@ -293,8 +295,9 @@ static void raven_pcihost_initfn(Object *obj)
 address_space_init(>pci_io_as, >pci_io, "raven-io");
 
 /* CPU address space */
-memory_region_add_subregion(address_space_mem, 0x8000, >pci_io);
-memory_region_add_subregion_overlap(address_space_mem, 0x8000,
+memory_region_add_subregion(address_space_mem, PCI_IO_BASE_ADDR,
+>pci_io);
+memory_region_add_subregion_overlap(address_space_mem, PCI_IO_BASE_ADDR,
 >pci_io_non_contiguous, 1);
 memory_region_add_subregion(address_space_mem, 0xc000, >pci_memory);
 pci_root_bus_new_inplace(>pci_bus, sizeof(s->pci_bus), DEVICE(obj), 
NULL,
-- 
2.31.1

[PULL 01/19] hw/pci-host: Rename Raven ASIC PCI bridge as raven.c

2021-07-11 Thread Philippe Mathieu-Daudé 
The ASIC PCI bridge chipset from Motorola is named 'Raven'.
This chipset is used in the PowerPC Reference Platform (PReP),
but not restricted to it. Rename it accordingly.

Signed-off-by: Philippe Mathieu-Daudé 
Acked-by: David Gibson 
Message-Id: <20210417103028.601124-5-f4...@amsat.org>
---
 hw/pci-host/{prep.c => raven.c} | 0
 MAINTAINERS | 2 +-
 hw/pci-host/Kconfig | 2 +-
 hw/pci-host/meson.build | 2 +-
 hw/ppc/Kconfig  | 2 +-
 5 files changed, 4 insertions(+), 4 deletions(-)
 rename hw/pci-host/{prep.c => raven.c} (100%)

diff --git a/hw/pci-host/prep.c b/hw/pci-host/raven.c
similarity index 100%
rename from hw/pci-host/prep.c
rename to hw/pci-host/raven.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 40d095dbbde..36eb0cb9c3c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1304,7 +1304,7 @@ S: Maintained
 F: hw/ppc/prep.c
 F: hw/ppc/prep_systemio.c
 F: hw/ppc/rs6000_mc.c
-F: hw/pci-host/prep.[hc]
+F: hw/pci-host/raven.c
 F: hw/isa/i82378.c
 F: hw/isa/pc87312.c
 F: hw/dma/i82374.c
diff --git a/hw/pci-host/Kconfig b/hw/pci-host/Kconfig
index 79c20bf28bb..84494400b86 100644
--- a/hw/pci-host/Kconfig
+++ b/hw/pci-host/Kconfig
@@ -6,7 +6,7 @@ config XEN_IGD_PASSTHROUGH
 default y
 depends on XEN && PCI_I440FX
 
-config PREP_PCI
+config RAVEN_PCI
 bool
 select PCI
 select OR_IRQ
diff --git a/hw/pci-host/meson.build b/hw/pci-host/meson.build
index 1698d3a1920..4c4f39c15c6 100644
--- a/hw/pci-host/meson.build
+++ b/hw/pci-host/meson.build
@@ -13,7 +13,7 @@
 pci_ss.add(when: 'CONFIG_SH_PCI', if_true: files('sh_pci.c'))
 
 # PPC devices
-pci_ss.add(when: 'CONFIG_PREP_PCI', if_true: files('prep.c'))
+pci_ss.add(when: 'CONFIG_RAVEN_PCI', if_true: files('raven.c'))
 pci_ss.add(when: 'CONFIG_GRACKLE_PCI', if_true: files('grackle.c'))
 # NewWorld PowerMac
 pci_ss.add(when: 'CONFIG_UNIN_PCI', if_true: files('uninorth.c'))
diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig
index 7fcafec60a4..322a7eb031e 100644
--- a/hw/ppc/Kconfig
+++ b/hw/ppc/Kconfig
@@ -85,7 +85,7 @@ config PREP
 imply PCI_DEVICES
 imply TEST_DEVICES
 select CS4231A
-select PREP_PCI
+select RAVEN_PCI
 select I82378
 select LSI_SCSI_PCI
 select M48T59
-- 
2.31.1

[PULL 00/19] MIPS patches for 2021-07-11

2021-07-11 Thread Philippe Mathieu-Daudé 
The following changes since commit 9516034d05a8c71ef157a59f525e4c4f7ed79827:

  Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-6.1-2' into 
staging (2021-07-11 14:32:49 +0100)

are available in the Git repository at:

  https://github.com/philmd/qemu.git tags/mips-next-20210711

for you to fetch changes up to 39d9919f4b4c3e7f230efd7d845439d6d732dc89:

  dp8393x: don't force 32-bit register access (2021-07-11 22:29:54 +0200)


MIPS patches queue

- Rename Raven ASIC PCI bridge, add PCI_IO_BASE_ADDR definition
- Various Toshiba TX79 opcodes implemented
- Rewrite UHI errno_mips() using switch statement
- Few fixes and improvements in the SONIC model (dp8393x)



Mark Cave-Ayland (2):
  dp8393x: fix CAM descriptor entry index
  dp8393x: don't force 32-bit register access

Philippe Mathieu-Daudé (17):
  hw/pci-host: Rename Raven ASIC PCI bridge as raven.c
  hw/pci-host/raven: Add PCI_IO_BASE_ADDR definition
  target/mips/tx79: Introduce PAND/POR/PXOR/PNOR opcodes (parallel
logic)
  target/mips/tx79: Introduce PSUB* opcodes (Parallel Subtract)
  target/mips/tx79: Introduce PEXTUW (Parallel Extend Upper from Word)
  target/mips/tx79: Introduce PEXTL[BHW] opcodes (Parallel Extend Lower)
  target/mips/tx79: Introduce PCEQ* opcodes (Parallel Compare for Equal)
  target/mips/tx79: Introduce PCGT* (Parallel Compare for Greater Than)
  target/mips/tx79: Introduce PPACW opcode (Parallel Pack to Word)
  target/mips/tx79: Introduce PROT3W opcode (Parallel Rotate 3 Words)
  target/mips/tx79: Introduce LQ opcode (Load Quadword)
  target/mips/tx79: Introduce SQ opcode (Store Quadword)
  target/mips: Rewrite UHI errno_mips() using switch statement
  dp8393x: Replace address_space_rw(is_write=1) by address_space_write()
  dp8393x: Replace 0x40 magic value by SONIC_REG_COUNT definition
  dp8393x: Store CAM registers as 16-bit
  dp8393x: Rewrite dp8393x_get() / dp8393x_put()

 target/mips/tcg/tx79.decode|  34 +++
 hw/net/dp8393x.c   | 208 +++-
 hw/pci-host/{prep.c => raven.c}|  11 +-
 target/mips/tcg/sysemu/mips-semi.c |  24 +-
 target/mips/tcg/translate.c|  16 +-
 target/mips/tcg/tx79_translate.c   | 382 +
 MAINTAINERS|   2 +-
 hw/pci-host/Kconfig|   2 +-
 hw/pci-host/meson.build|   2 +-
 hw/ppc/Kconfig |   2 +-
 10 files changed, 526 insertions(+), 157 deletions(-)
 rename hw/pci-host/{prep.c => raven.c} (97%)

-- 
2.31.1

[PATCH v4 4/4] replication: Remove workaround

2021-07-11 Thread Lukas Straub 
Remove the workaround introduced in commit
6ecbc6c52672db5c13805735ca02784879ce8285
"replication: Avoid blk_make_empty() on read-only child".

It is not needed anymore since s->hidden_disk is guaranteed to be
writable when secondary_do_checkpoint() runs. Because replication_start(),
_do_checkpoint() and _stop() are only called by COLO migration code
and COLO-migration activates all disks via bdrv_invalidate_cache_all()
before it calls these functions.

Signed-off-by: Lukas Straub 
---
 block/replication.c | 12 +---
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/block/replication.c b/block/replication.c
index b74192f795..32444b9a8f 100644
--- a/block/replication.c
+++ b/block/replication.c
@@ -346,17 +346,7 @@ static void secondary_do_checkpoint(BlockDriverState *bs, 
Error **errp)
 return;
 }

-BlockBackend *blk = blk_new(qemu_get_current_aio_context(),
-BLK_PERM_WRITE, BLK_PERM_ALL);
-blk_insert_bs(blk, s->hidden_disk->bs, _err);
-if (local_err) {
-error_propagate(errp, local_err);
-blk_unref(blk);
-return;
-}
-
-ret = blk_make_empty(blk, errp);
-blk_unref(blk);
+ret = bdrv_make_empty(s->hidden_disk, errp);
 if (ret < 0) {
 return;
 }
--
2.20.1


pgp8rEJxeopUo.pgp
Description: OpenPGP digital signature

[PATCH v4 2/4] replication: Reduce usage of s->hidden_disk and s->secondary_disk

2021-07-11 Thread Lukas Straub 
In preparation for the next patch, initialize s->hidden_disk and
s->secondary_disk later and replace access to them with local variables
in the places where they aren't initialized yet.

Signed-off-by: Lukas Straub 
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 block/replication.c | 45 -
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/block/replication.c b/block/replication.c
index 9ad2dfdc69..25bbdf5d4b 100644
--- a/block/replication.c
+++ b/block/replication.c
@@ -366,27 +366,35 @@ static void reopen_backing_file(BlockDriverState *bs, 
bool writable,
 Error **errp)
 {
 BDRVReplicationState *s = bs->opaque;
+BdrvChild *hidden_disk, *secondary_disk;
 BlockReopenQueue *reopen_queue = NULL;

+/*
+ * s->hidden_disk and s->secondary_disk may not be set yet, as they will
+ * only be set after the children are writable.
+ */
+hidden_disk = bs->file->bs->backing;
+secondary_disk = hidden_disk->bs->backing;
+
 if (writable) {
-s->orig_hidden_read_only = bdrv_is_read_only(s->hidden_disk->bs);
-s->orig_secondary_read_only = bdrv_is_read_only(s->secondary_disk->bs);
+s->orig_hidden_read_only = bdrv_is_read_only(hidden_disk->bs);
+s->orig_secondary_read_only = bdrv_is_read_only(secondary_disk->bs);
 }

-bdrv_subtree_drained_begin(s->hidden_disk->bs);
-bdrv_subtree_drained_begin(s->secondary_disk->bs);
+bdrv_subtree_drained_begin(hidden_disk->bs);
+bdrv_subtree_drained_begin(secondary_disk->bs);

 if (s->orig_hidden_read_only) {
 QDict *opts = qdict_new();
 qdict_put_bool(opts, BDRV_OPT_READ_ONLY, !writable);
-reopen_queue = bdrv_reopen_queue(reopen_queue, s->hidden_disk->bs,
+reopen_queue = bdrv_reopen_queue(reopen_queue, hidden_disk->bs,
  opts, true);
 }

 if (s->orig_secondary_read_only) {
 QDict *opts = qdict_new();
 qdict_put_bool(opts, BDRV_OPT_READ_ONLY, !writable);
-reopen_queue = bdrv_reopen_queue(reopen_queue, s->secondary_disk->bs,
+reopen_queue = bdrv_reopen_queue(reopen_queue, secondary_disk->bs,
  opts, true);
 }

@@ -401,8 +409,8 @@ static void reopen_backing_file(BlockDriverState *bs, bool 
writable,
 }
 }

-bdrv_subtree_drained_end(s->hidden_disk->bs);
-bdrv_subtree_drained_end(s->secondary_disk->bs);
+bdrv_subtree_drained_end(hidden_disk->bs);
+bdrv_subtree_drained_end(secondary_disk->bs);
 }

 static void backup_job_cleanup(BlockDriverState *bs)
@@ -459,7 +467,7 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 BlockDriverState *bs = rs->opaque;
 BDRVReplicationState *s;
 BlockDriverState *top_bs;
-BdrvChild *active_disk;
+BdrvChild *active_disk, *hidden_disk, *secondary_disk;
 int64_t active_length, hidden_length, disk_length;
 AioContext *aio_context;
 Error *local_err = NULL;
@@ -504,15 +512,15 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 return;
 }

-s->hidden_disk = active_disk->bs->backing;
-if (!s->hidden_disk->bs || !s->hidden_disk->bs->backing) {
+hidden_disk = active_disk->bs->backing;
+if (!hidden_disk->bs || !hidden_disk->bs->backing) {
 error_setg(errp, "Hidden disk doesn't have backing file");
 aio_context_release(aio_context);
 return;
 }

-s->secondary_disk = s->hidden_disk->bs->backing;
-if (!s->secondary_disk->bs || !bdrv_has_blk(s->secondary_disk->bs)) {
+secondary_disk = hidden_disk->bs->backing;
+if (!secondary_disk->bs || !bdrv_has_blk(secondary_disk->bs)) {
 error_setg(errp, "The secondary disk doesn't have block backend");
 aio_context_release(aio_context);
 return;
@@ -520,8 +528,8 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,

 /* verify the length */
 active_length = bdrv_getlength(active_disk->bs);
-hidden_length = bdrv_getlength(s->hidden_disk->bs);
-disk_length = bdrv_getlength(s->secondary_disk->bs);
+hidden_length = bdrv_getlength(hidden_disk->bs);
+disk_length = bdrv_getlength(secondary_disk->bs);
 if (active_length < 0 || hidden_length < 0 || disk_length < 0 ||
 active_length != hidden_length || hidden_length != disk_length) {
 error_setg(errp, "Active disk, hidden disk, secondary disk's 
length"
@@ -531,10 +539,10 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 }

 /* Must be true, or the bdrv_getlength() calls would have failed */
-assert(active_disk->bs->drv && s->hidden_disk->bs->drv);
+assert(active_disk->bs->drv && hidden_disk->bs->drv);

 if

[PATCH v4 1/4] replication: Remove s->active_disk

2021-07-11 Thread Lukas Straub 
s->active_disk is bs->file. Remove it and use local variables instead.

Signed-off-by: Lukas Straub 
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 block/replication.c | 34 +-
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/block/replication.c b/block/replication.c
index 774e15df16..9ad2dfdc69 100644
--- a/block/replication.c
+++ b/block/replication.c
@@ -35,7 +35,6 @@ typedef enum {
 typedef struct BDRVReplicationState {
 ReplicationMode mode;
 ReplicationStage stage;
-BdrvChild *active_disk;
 BlockJob *commit_job;
 BdrvChild *hidden_disk;
 BdrvChild *secondary_disk;
@@ -307,8 +306,10 @@ out:
 return ret;
 }

-static void secondary_do_checkpoint(BDRVReplicationState *s, Error **errp)
+static void secondary_do_checkpoint(BlockDriverState *bs, Error **errp)
 {
+BDRVReplicationState *s = bs->opaque;
+BdrvChild *active_disk = bs->file;
 Error *local_err = NULL;
 int ret;

@@ -323,13 +324,13 @@ static void secondary_do_checkpoint(BDRVReplicationState 
*s, Error **errp)
 return;
 }

-if (!s->active_disk->bs->drv) {
+if (!active_disk->bs->drv) {
 error_setg(errp, "Active disk %s is ejected",
-   s->active_disk->bs->node_name);
+   active_disk->bs->node_name);
 return;
 }

-ret = bdrv_make_empty(s->active_disk, errp);
+ret = bdrv_make_empty(active_disk, errp);
 if (ret < 0) {
 return;
 }
@@ -458,6 +459,7 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 BlockDriverState *bs = rs->opaque;
 BDRVReplicationState *s;
 BlockDriverState *top_bs;
+BdrvChild *active_disk;
 int64_t active_length, hidden_length, disk_length;
 AioContext *aio_context;
 Error *local_err = NULL;
@@ -495,15 +497,14 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 case REPLICATION_MODE_PRIMARY:
 break;
 case REPLICATION_MODE_SECONDARY:
-s->active_disk = bs->file;
-if (!s->active_disk || !s->active_disk->bs ||
-!s->active_disk->bs->backing) {
+active_disk = bs->file;
+if (!active_disk || !active_disk->bs || !active_disk->bs->backing) {
 error_setg(errp, "Active disk doesn't have backing file");
 aio_context_release(aio_context);
 return;
 }

-s->hidden_disk = s->active_disk->bs->backing;
+s->hidden_disk = active_disk->bs->backing;
 if (!s->hidden_disk->bs || !s->hidden_disk->bs->backing) {
 error_setg(errp, "Hidden disk doesn't have backing file");
 aio_context_release(aio_context);
@@ -518,7 +519,7 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 }

 /* verify the length */
-active_length = bdrv_getlength(s->active_disk->bs);
+active_length = bdrv_getlength(active_disk->bs);
 hidden_length = bdrv_getlength(s->hidden_disk->bs);
 disk_length = bdrv_getlength(s->secondary_disk->bs);
 if (active_length < 0 || hidden_length < 0 || disk_length < 0 ||
@@ -530,9 +531,9 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 }

 /* Must be true, or the bdrv_getlength() calls would have failed */
-assert(s->active_disk->bs->drv && s->hidden_disk->bs->drv);
+assert(active_disk->bs->drv && s->hidden_disk->bs->drv);

-if (!s->active_disk->bs->drv->bdrv_make_empty ||
+if (!active_disk->bs->drv->bdrv_make_empty ||
 !s->hidden_disk->bs->drv->bdrv_make_empty) {
 error_setg(errp,
"Active disk or hidden disk doesn't support 
make_empty");
@@ -586,7 +587,7 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 s->stage = BLOCK_REPLICATION_RUNNING;

 if (s->mode == REPLICATION_MODE_SECONDARY) {
-secondary_do_checkpoint(s, errp);
+secondary_do_checkpoint(bs, errp);
 }

 s->error = 0;
@@ -615,7 +616,7 @@ static void replication_do_checkpoint(ReplicationState *rs, 
Error **errp)
 }

 if (s->mode == REPLICATION_MODE_SECONDARY) {
-secondary_do_checkpoint(s, errp);
+secondary_do_checkpoint(bs, errp);
 }
 aio_context_release(aio_context);
 }
@@ -652,7 +653,6 @@ static void replication_done(void *opaque, int ret)
 if (ret == 0) {
 s->stage = BLOCK_REPLICATION_DONE;

-s->active_disk = NULL;
 s->secondary_disk = NULL;
 s->hidden_disk = NULL;
 s->error = 0;
@@ -705,7 +705,7 @@ static void replication_stop(ReplicationState *rs, bool 
failover, Error **errp)
 }

 if (!failover) {
-secondary_do_checkpoint(s, errp);
+secondary_do_checkpoint(bs, errp);
 s->stage = BLOCK_REPLICATION_DONE;
 aio_context_release(aio_context);
 return;

[PATCH v4 3/4] replication: Properly attach children

2021-07-11 Thread Lukas Straub 
The replication driver needs access to the children block-nodes of
it's child so it can issue bdrv_make_empty() and bdrv_co_pwritev()
to manage the replication. However, it does this by directly copying
the BdrvChilds, which is wrong.

Fix this by properly attaching the block-nodes with
bdrv_attach_child() and requesting the required permissions.

This ultimatively fixes a potential crash in replication_co_writev(),
because it may write to s->secondary_disk if it is in state
BLOCK_REPLICATION_FAILOVER_FAILED, without requesting write
permissions first. And now the workaround in
secondary_do_checkpoint() can be removed.

Signed-off-by: Lukas Straub 
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 block/replication.c | 30 +++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/block/replication.c b/block/replication.c
index 25bbdf5d4b..b74192f795 100644
--- a/block/replication.c
+++ b/block/replication.c
@@ -165,7 +165,12 @@ static void replication_child_perm(BlockDriverState *bs, 
BdrvChild *c,
uint64_t perm, uint64_t shared,
uint64_t *nperm, uint64_t *nshared)
 {
-*nperm = BLK_PERM_CONSISTENT_READ;
+if (role & BDRV_CHILD_PRIMARY) {
+*nperm = BLK_PERM_CONSISTENT_READ;
+} else {
+*nperm = 0;
+}
+
 if ((bs->open_flags & (BDRV_O_INACTIVE | BDRV_O_RDWR)) == BDRV_O_RDWR) {
 *nperm |= BLK_PERM_WRITE;
 }
@@ -557,8 +562,25 @@ static void replication_start(ReplicationState *rs, 
ReplicationMode mode,
 return;
 }

-s->hidden_disk = hidden_disk;
-s->secondary_disk = secondary_disk;
+bdrv_ref(hidden_disk->bs);
+s->hidden_disk = bdrv_attach_child(bs, hidden_disk->bs, "hidden disk",
+   _of_bds, BDRV_CHILD_DATA,
+   _err);
+if (local_err) {
+error_propagate(errp, local_err);
+aio_context_release(aio_context);
+return;
+}
+
+bdrv_ref(secondary_disk->bs);
+s->secondary_disk = bdrv_attach_child(bs, secondary_disk->bs,
+  "secondary disk", _of_bds,
+  BDRV_CHILD_DATA, _err);
+if (local_err) {
+error_propagate(errp, local_err);
+aio_context_release(aio_context);
+return;
+}

 /* start backup job now */
 error_setg(>blocker,
@@ -664,7 +686,9 @@ static void replication_done(void *opaque, int ret)
 if (ret == 0) {
 s->stage = BLOCK_REPLICATION_DONE;

+bdrv_unref_child(bs, s->secondary_disk);
 s->secondary_disk = NULL;
+bdrv_unref_child(bs, s->hidden_disk);
 s->hidden_disk = NULL;
 s->error = 0;
 } else {
--
2.20.1



pgpzVnl3asywa.pgp
Description: OpenPGP digital signature

[PATCH v4 0/4] replication: Bugfix and properly attach children

2021-07-11 Thread Lukas Straub 
Hello Everyone,
A while ago Kevin noticed that the replication driver doesn't properly attach
the children it wants to use. Instead, it directly copies the BdrvChilds from
it's backing file, which is wrong. Ths Patchset fixes the problem, fixes a
potential crash in replication_co_writev due to missing permissions and removes
a workaround that was put in place back then.

Regards,
Lukas Straub

Changes:

-v4:
-minor style fixes
-clarify why children areguaranteed to be writable in
 "replication: Remove workaround"
-Added Reviewed-by tags

-v3:
-Split up into multiple patches
-Remove s->active_disk
-Clarify child permissions in commit message

-v2: Test for BDRV_CHILD_PRIMARY in replication_child_perm, since
 bs->file might not be set yet. (Vladimir)


Lukas Straub (4):
  replication: Remove s->active_disk
  replication: Reduce usage of s->hidden_disk and s->secondary_disk
  replication: Properly attach children
  replication: Remove workaround

 block/replication.c | 111 +++-
 1 file changed, 68 insertions(+), 43 deletions(-)

--
2.20.1


pgpTyep8Vbl17.pgp
Description: OpenPGP digital signature

[PULL 5/6] tests/qtest/nvme-test: add persistent memory region test

2021-07-11 Thread Klaus Jensen 
From: Gollu Appalanaidu 

This will test the PMR functionality.

Signed-off-by: Gollu Appalanaidu 
Reviewed-by: Klaus Jensen 
[k.jensen: replaced memory-backend-file with memory-backend-ram]
Signed-off-by: Klaus Jensen 
---
 tests/qtest/nvme-test.c | 61 -
 1 file changed, 60 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/nvme-test.c b/tests/qtest/nvme-test.c
index d32c953a3824..47e757d7e2af 100644
--- a/tests/qtest/nvme-test.c
+++ b/tests/qtest/nvme-test.c
@@ -13,6 +13,7 @@
 #include "libqos/libqtest.h"
 #include "libqos/qgraph.h"
 #include "libqos/pci.h"
+#include "include/block/nvme.h"
 
 typedef struct QNvme QNvme;
 
@@ -66,12 +67,65 @@ static void nvmetest_oob_cmb_test(void *obj, void *data, 
QGuestAllocator *alloc)
 g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 
0x44332211);
 }
 
+static void nvmetest_pmr_reg_test(void *obj, void *data, QGuestAllocator 
*alloc)
+{
+QNvme *nvme = obj;
+QPCIDevice *pdev = >dev;
+QPCIBar pmr_bar, nvme_bar;
+uint32_t pmrcap, pmrsts;
+
+qpci_device_enable(pdev);
+pmr_bar = qpci_iomap(pdev, 4, NULL);
+
+/* Without Enabling PMRCTL check bar enablemet */
+qpci_io_writel(pdev, pmr_bar, 0, 0xccbbaa99);
+g_assert_cmpint(qpci_io_readb(pdev, pmr_bar, 0), !=, 0x99);
+g_assert_cmpint(qpci_io_readw(pdev, pmr_bar, 0), !=, 0xaa99);
+
+/* Map NVMe Bar Register to Enable the Mem Region */
+nvme_bar = qpci_iomap(pdev, 0, NULL);
+
+pmrcap = qpci_io_readl(pdev, nvme_bar, 0xe00);
+g_assert_cmpint(NVME_PMRCAP_RDS(pmrcap), ==, 0x1);
+g_assert_cmpint(NVME_PMRCAP_WDS(pmrcap), ==, 0x1);
+g_assert_cmpint(NVME_PMRCAP_BIR(pmrcap), ==, 0x4);
+g_assert_cmpint(NVME_PMRCAP_PMRWBM(pmrcap), ==, 0x2);
+g_assert_cmpint(NVME_PMRCAP_CMSS(pmrcap), ==, 0x1);
+
+/* Enable PMRCTRL */
+qpci_io_writel(pdev, nvme_bar, 0xe04, 0x1);
+
+qpci_io_writel(pdev, pmr_bar, 0, 0x44332211);
+g_assert_cmpint(qpci_io_readb(pdev, pmr_bar, 0), ==, 0x11);
+g_assert_cmpint(qpci_io_readw(pdev, pmr_bar, 0), ==, 0x2211);
+g_assert_cmpint(qpci_io_readl(pdev, pmr_bar, 0), ==, 0x44332211);
+
+pmrsts = qpci_io_readl(pdev, nvme_bar, 0xe08);
+g_assert_cmpint(NVME_PMRSTS_NRDY(pmrsts), ==, 0x0);
+
+/* Disable PMRCTRL */
+qpci_io_writel(pdev, nvme_bar, 0xe04, 0x0);
+
+qpci_io_writel(pdev, pmr_bar, 0, 0x88776655);
+g_assert_cmpint(qpci_io_readb(pdev, pmr_bar, 0), !=, 0x55);
+g_assert_cmpint(qpci_io_readw(pdev, pmr_bar, 0), !=, 0x6655);
+g_assert_cmpint(qpci_io_readl(pdev, pmr_bar, 0), !=, 0x88776655);
+
+pmrsts = qpci_io_readl(pdev, nvme_bar, 0xe08);
+g_assert_cmpint(NVME_PMRSTS_NRDY(pmrsts), ==, 0x1);
+
+qpci_iounmap(pdev, nvme_bar);
+qpci_iounmap(pdev, pmr_bar);
+}
+
 static void nvme_register_nodes(void)
 {
 QOSGraphEdgeOptions opts = {
 .extra_device_opts = "addr=04.0,drive=drv0,serial=foo",
 .before_cmd_line = "-drive id=drv0,if=none,file=null-co://,"
-   "file.read-zeroes=on,format=raw",
+   "file.read-zeroes=on,format=raw "
+   "-object memory-backend-ram,id=pmr0,"
+   "share=on,size=8",
 };
 
 add_qpci_address(, &(QPCIAddress) { .devfn = QPCI_DEVFN(4, 0) });
@@ -83,6 +137,11 @@ static void nvme_register_nodes(void)
 qos_add_test("oob-cmb-access", "nvme", nvmetest_oob_cmb_test, 
&(QOSGraphTestOptions) {
 .edge.extra_device_opts = "cmb_size_mb=2"
 });
+
+qos_add_test("pmr-test-access", "nvme", nvmetest_pmr_reg_test,
+ &(QOSGraphTestOptions) {
+.edge.extra_device_opts = "pmrdev=pmr0"
+});
 }
 
 libqos_init(nvme_register_nodes);
-- 
2.32.0

Re: [PATCH v3 4/4] replication: Remove workaround

2021-07-11 Thread Lukas Straub 
On Fri, 9 Jul 2021 10:49:23 +0300
Vladimir Sementsov-Ogievskiy  wrote:

> 07.07.2021 21:15, Lukas Straub wrote:
> > Remove the workaround introduced in commit
> > 6ecbc6c52672db5c13805735ca02784879ce8285
> > "replication: Avoid blk_make_empty() on read-only child".
> > 
> > It is not needed anymore since s->hidden_disk is guaranteed to be
> > writable when secondary_do_checkpoint() runs. Because replication_start(),
> > _do_checkpoint() and _stop() are only called by COLO migration code
> > and COLO-migration doesn't inactivate disks.  
> 
> If look at replication_child_perm() you should also be sure that it always 
> works only with RW disks..
> 
> Actually, I think that it would be correct just require BLK_PERM_WRITE in 
> replication_child_perm() unconditionally. Let generic layer care about all 
> these RD/WR things. In _child_perm() we can require WRITE and don't care. If 
> something goes wrong and we can't get WRITE permission we should see clean 
> error-out.
> 
> Opposite, if we don't require WRITE permission in some case and still do 
> WRITE request, it may crash.
> 
> Still, this may be considered as a preexisting problem of 
> replication_child_perm() and fixed separately.

Hmm, unconditionally requesting write doesn't work, since qemu on the
secondary side is started with "-miration incoming", it goes into
runstate RUN_STATE_INMIGRATE from the beginning and then blockdev_init()
opens every blockdev with BDRV_O_INACTIVE and then it errors out with
-drive driver=replication,...: Block node is read-only.

> > 
> > Signed-off-by: Lukas Straub   
> 
> So, for this one commit (with probably updated commit message accordingly to 
> my comments, or even rebased on fixed replication_child_perm()):
> 
> Reviewed-by: Vladimir Sementsov-Ogievskiy 
> 
> 
> > ---
> >   block/replication.c | 12 +---
> >   1 file changed, 1 insertion(+), 11 deletions(-)
> > 
> > diff --git a/block/replication.c b/block/replication.c
> > index c0d4a6c264..68b46d65a8 100644
> > --- a/block/replication.c
> > +++ b/block/replication.c
> > @@ -348,17 +348,7 @@ static void secondary_do_checkpoint(BlockDriverState 
> > *bs, Error **errp)
> >   return;
> >   }
> > 
> > -BlockBackend *blk = blk_new(qemu_get_current_aio_context(),
> > -BLK_PERM_WRITE, BLK_PERM_ALL);
> > -blk_insert_bs(blk, s->hidden_disk->bs, _err);
> > -if (local_err) {
> > -error_propagate(errp, local_err);
> > -blk_unref(blk);
> > -return;
> > -}
> > -
> > -ret = blk_make_empty(blk, errp);
> > -blk_unref(blk);
> > +ret = bdrv_make_empty(s->hidden_disk, errp);
> >   if (ret < 0) {
> >   return;
> >   }
> > --
> > 2.20.1
> >   
> 
> 



-- 



pgpbMGt1HZ5Wf.pgp
Description: OpenPGP digital signature

[PULL 3/6] hw/nvme: unregister controller with subsystem at exit

2021-07-11 Thread Klaus Jensen 
From: Klaus Jensen 

Make sure the controller is unregistered from the subsystem when device
is removed.

Reviewed-by: Hannes Reinecke 
Signed-off-by: Klaus Jensen 
---
 hw/nvme/nvme.h   | 1 +
 hw/nvme/ctrl.c   | 4 
 hw/nvme/subsys.c | 5 +
 3 files changed, 10 insertions(+)

diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h
index 0868359a1e86..c4065467d877 100644
--- a/hw/nvme/nvme.h
+++ b/hw/nvme/nvme.h
@@ -50,6 +50,7 @@ typedef struct NvmeSubsystem {
 } NvmeSubsystem;
 
 int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp);
+void nvme_subsys_unregister_ctrl(NvmeSubsystem *subsys, NvmeCtrl *n);
 
 static inline NvmeCtrl *nvme_subsys_ctrl(NvmeSubsystem *subsys,
  uint32_t cntlid)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index dd1801510032..90e3ee2b70ee 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6523,6 +6523,10 @@ static void nvme_exit(PCIDevice *pci_dev)
 nvme_ns_cleanup(ns);
 }
 
+if (n->subsys) {
+nvme_subsys_unregister_ctrl(n->subsys, n);
+}
+
 g_free(n->cq);
 g_free(n->sq);
 g_free(n->aer_reqs);
diff --git a/hw/nvme/subsys.c b/hw/nvme/subsys.c
index dc7a96862f37..92caa604a280 100644
--- a/hw/nvme/subsys.c
+++ b/hw/nvme/subsys.c
@@ -32,6 +32,11 @@ int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp)
 return cntlid;
 }
 
+void nvme_subsys_unregister_ctrl(NvmeSubsystem *subsys, NvmeCtrl *n)
+{
+subsys->ctrls[n->cntlid] = NULL;
+}
+
 static void nvme_subsys_setup(NvmeSubsystem *subsys)
 {
 const char *nqn = subsys->params.nqn ?
-- 
2.32.0

[PULL 6/6] hw/nvme: fix controller hot unplugging

2021-07-11 Thread Klaus Jensen 
From: Klaus Jensen 

Prior to this patch the nvme-ns devices are always children of the
NvmeBus owned by the NvmeCtrl. This causes the namespaces to be
unrealized when the parent device is removed. However, when subsystems
are involved, this is not what we want since the namespaces may be
attached to other controllers as well.

This patch adds an additional NvmeBus on the subsystem device. When
nvme-ns devices are realized, if the parent controller device is linked
to a subsystem, the parent bus is set to the subsystem one instead. This
makes sure that namespaces are kept alive and not unrealized.

Reviewed-by: Hannes Reinecke 
Signed-off-by: Klaus Jensen 
---
 hw/nvme/nvme.h   | 15 ---
 hw/nvme/ctrl.c   | 14 ++
 hw/nvme/ns.c | 18 ++
 hw/nvme/subsys.c |  3 +++
 4 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h
index c4065467d877..83ffabade4cf 100644
--- a/hw/nvme/nvme.h
+++ b/hw/nvme/nvme.h
@@ -33,12 +33,20 @@ QEMU_BUILD_BUG_ON(NVME_MAX_NAMESPACES > NVME_NSID_BROADCAST 
- 1);
 typedef struct NvmeCtrl NvmeCtrl;
 typedef struct NvmeNamespace NvmeNamespace;
 
+#define TYPE_NVME_BUS "nvme-bus"
+OBJECT_DECLARE_SIMPLE_TYPE(NvmeBus, NVME_BUS)
+
+typedef struct NvmeBus {
+BusState parent_bus;
+} NvmeBus;
+
 #define TYPE_NVME_SUBSYS "nvme-subsys"
 #define NVME_SUBSYS(obj) \
 OBJECT_CHECK(NvmeSubsystem, (obj), TYPE_NVME_SUBSYS)
 
 typedef struct NvmeSubsystem {
 DeviceState parent_obj;
+NvmeBus bus;
 uint8_t subnqn[256];
 
 NvmeCtrl  *ctrls[NVME_MAX_CONTROLLERS];
@@ -365,13 +373,6 @@ typedef struct NvmeCQueue {
 QTAILQ_HEAD(, NvmeRequest) req_list;
 } NvmeCQueue;
 
-#define TYPE_NVME_BUS "nvme-bus"
-#define NVME_BUS(obj) OBJECT_CHECK(NvmeBus, (obj), TYPE_NVME_BUS)
-
-typedef struct NvmeBus {
-BusState parent_bus;
-} NvmeBus;
-
 #define TYPE_NVME "nvme"
 #define NVME(obj) \
 OBJECT_CHECK(NvmeCtrl, (obj), TYPE_NVME)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index ead7531bde5e..2f0524e12a36 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6527,16 +6527,14 @@ static void nvme_exit(PCIDevice *pci_dev)
 
 nvme_ctrl_reset(n);
 
-for (i = 1; i <= NVME_MAX_NAMESPACES; i++) {
-ns = nvme_ns(n, i);
-if (!ns) {
-continue;
+if (n->subsys) {
+for (i = 1; i <= NVME_MAX_NAMESPACES; i++) {
+ns = nvme_ns(n, i);
+if (ns) {
+ns->attached--;
+}
 }
 
-nvme_ns_cleanup(ns);
-}
-
-if (n->subsys) {
 nvme_subsys_unregister_ctrl(n->subsys, n);
 }
 
diff --git a/hw/nvme/ns.c b/hw/nvme/ns.c
index 3c4f5b8c714a..b7cf1494e75b 100644
--- a/hw/nvme/ns.c
+++ b/hw/nvme/ns.c
@@ -441,6 +441,15 @@ void nvme_ns_cleanup(NvmeNamespace *ns)
 }
 }
 
+static void nvme_ns_unrealize(DeviceState *dev)
+{
+NvmeNamespace *ns = NVME_NS(dev);
+
+nvme_ns_drain(ns);
+nvme_ns_shutdown(ns);
+nvme_ns_cleanup(ns);
+}
+
 static void nvme_ns_realize(DeviceState *dev, Error **errp)
 {
 NvmeNamespace *ns = NVME_NS(dev);
@@ -462,6 +471,14 @@ static void nvme_ns_realize(DeviceState *dev, Error **errp)
"linked to an nvme-subsys device");
 return;
 }
+} else {
+/*
+ * If this namespace belongs to a subsystem (through a link on the
+ * controller device), reparent the device.
+ */
+if (!qdev_set_parent_bus(dev, >bus.parent_bus, errp)) {
+return;
+}
 }
 
 if (nvme_ns_setup(ns, errp)) {
@@ -552,6 +569,7 @@ static void nvme_ns_class_init(ObjectClass *oc, void *data)
 
 dc->bus_type = TYPE_NVME_BUS;
 dc->realize = nvme_ns_realize;
+dc->unrealize = nvme_ns_unrealize;
 device_class_set_props(dc, nvme_ns_props);
 dc->desc = "Virtual NVMe namespace";
 }
diff --git a/hw/nvme/subsys.c b/hw/nvme/subsys.c
index 92caa604a280..93c35950d69d 100644
--- a/hw/nvme/subsys.c
+++ b/hw/nvme/subsys.c
@@ -50,6 +50,9 @@ static void nvme_subsys_realize(DeviceState *dev, Error 
**errp)
 {
 NvmeSubsystem *subsys = NVME_SUBSYS(dev);
 
+qbus_create_inplace(>bus, sizeof(NvmeBus), TYPE_NVME_BUS, dev,
+dev->id);
+
 nvme_subsys_setup(subsys);
 }
 
-- 
2.32.0

[PULL 4/6] hw/nvme: error handling for too many mappings

2021-07-11 Thread Klaus Jensen 
From: Padmakar Kalghatgi 

If the number of PRP/SGL mappings exceed 1024, reads and writes will
fail because of an internal QEMU limitation of max 1024 vectors.

Signed-off-by: Padmakar Kalghatgi 
Reviewed-by: Klaus Jensen 
[k.jensen: changed the error message to be more generic]
Signed-off-by: Klaus Jensen 
---
 hw/nvme/ctrl.c   | 13 +
 hw/nvme/trace-events |  1 +
 2 files changed, 14 insertions(+)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 90e3ee2b70ee..ead7531bde5e 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -623,6 +623,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, 
hwaddr addr, size_t len)
 return NVME_INVALID_USE_OF_CMB | NVME_DNR;
 }
 
+if (sg->iov.niov + 1 > IOV_MAX) {
+goto max_mappings_exceeded;
+}
+
 if (cmb) {
 return nvme_map_addr_cmb(n, >iov, addr, len);
 } else {
@@ -634,9 +638,18 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, 
hwaddr addr, size_t len)
 return NVME_INVALID_USE_OF_CMB | NVME_DNR;
 }
 
+if (sg->qsg.nsg + 1 > IOV_MAX) {
+goto max_mappings_exceeded;
+}
+
 qemu_sglist_add(>qsg, addr, len);
 
 return NVME_SUCCESS;
+
+max_mappings_exceeded:
+NVME_GUEST_ERR(pci_nvme_ub_too_many_mappings,
+   "number of mappings exceed 1024");
+return NVME_INTERNAL_DEV_ERROR | NVME_DNR;
 }
 
 static inline bool nvme_addr_is_dma(NvmeCtrl *n, hwaddr addr)
diff --git a/hw/nvme/trace-events b/hw/nvme/trace-events
index f9a1f14e2638..430eeb395b24 100644
--- a/hw/nvme/trace-events
+++ b/hw/nvme/trace-events
@@ -199,3 +199,4 @@ pci_nvme_ub_db_wr_invalid_cqhead(uint32_t qid, uint16_t 
new_head) "completion qu
 pci_nvme_ub_db_wr_invalid_sq(uint32_t qid) "submission queue doorbell write 
for nonexistent queue, sqid=%"PRIu32", ignoring"
 pci_nvme_ub_db_wr_invalid_sqtail(uint32_t qid, uint16_t new_tail) "submission 
queue doorbell write value beyond queue size, sqid=%"PRIu32", 
new_head=%"PRIu16", ignoring"
 pci_nvme_ub_unknown_css_value(void) "unknown value in cc.css field"
+pci_nvme_ub_too_many_mappings(void) "too many prp/sgl mappings"
-- 
2.32.0

Re: [PATCH v4 0/5] dp8393x: fixes and improvements

2021-07-11 Thread Philippe Mathieu-Daudé 
On 7/11/21 12:36 PM, Philippe Mathieu-Daudé wrote:
> Hi Mark,
> 
> This should be the last respin.
> 
> Since v3:
> - dropped worrying patches
> - squashed migration patch
> - added tags
> 
> Patch #3 (dp8393x: Store CAM registers as 16-bit) still
> misses your S-o-b tag.
> 
> Based-on mips-next.
> 
> Mark Cave-Ayland (1):
>   dp8393x: don't force 32-bit register access
> 
> Philippe Mathieu-Daudé (4):
>   dp8393x: Replace address_space_rw(is_write=1) by address_space_write()
>   dp8393x: Replace 0x40 magic value by SONIC_REG16_COUNT definition
>   dp8393x: Store CAM registers as 16-bit
>   dp8393x: Rewrite dp8393x_get() / dp8393x_put()

Series applied to mips-next.

[PULL 1/6] hw/nvme: remove NvmeCtrl parameter from ns setup/check functions

2021-07-11 Thread Klaus Jensen 
From: Klaus Jensen 

The nvme_ns_setup and nvme_ns_check_constraints should not depend on the
controller state. Refactor and remove it.

Reviewed-by: Hannes Reinecke 
Signed-off-by: Klaus Jensen 
---
 hw/nvme/nvme.h |  2 +-
 hw/nvme/ctrl.c |  2 +-
 hw/nvme/ns.c   | 37 ++---
 3 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h
index 56f8eceed2ad..0868359a1e86 100644
--- a/hw/nvme/nvme.h
+++ b/hw/nvme/nvme.h
@@ -246,7 +246,7 @@ static inline void nvme_aor_dec_active(NvmeNamespace *ns)
 }
 
 void nvme_ns_init_format(NvmeNamespace *ns);
-int nvme_ns_setup(NvmeCtrl *n, NvmeNamespace *ns, Error **errp);
+int nvme_ns_setup(NvmeNamespace *ns, Error **errp);
 void nvme_ns_drain(NvmeNamespace *ns);
 void nvme_ns_shutdown(NvmeNamespace *ns);
 void nvme_ns_cleanup(NvmeNamespace *ns);
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 629b0d38c2a2..dd1801510032 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6498,7 +6498,7 @@ static void nvme_realize(PCIDevice *pci_dev, Error **errp)
 ns = >namespace;
 ns->params.nsid = 1;
 
-if (nvme_ns_setup(n, ns, errp)) {
+if (nvme_ns_setup(ns, errp)) {
 return;
 }
 
diff --git a/hw/nvme/ns.c b/hw/nvme/ns.c
index 4275c3db6301..3c4f5b8c714a 100644
--- a/hw/nvme/ns.c
+++ b/hw/nvme/ns.c
@@ -346,8 +346,7 @@ static void nvme_zoned_ns_shutdown(NvmeNamespace *ns)
 assert(ns->nr_open_zones == 0);
 }
 
-static int nvme_ns_check_constraints(NvmeCtrl *n, NvmeNamespace *ns,
- Error **errp)
+static int nvme_ns_check_constraints(NvmeNamespace *ns, Error **errp)
 {
 if (!ns->blkconf.blk) {
 error_setg(errp, "block backend not configured");
@@ -366,20 +365,6 @@ static int nvme_ns_check_constraints(NvmeCtrl *n, 
NvmeNamespace *ns,
 return -1;
 }
 
-if (!n->subsys) {
-if (ns->params.detached) {
-error_setg(errp, "detached requires that the nvme device is "
-   "linked to an nvme-subsys device");
-return -1;
-}
-
-if (ns->params.shared) {
-error_setg(errp, "shared requires that the nvme device is "
-   "linked to an nvme-subsys device");
-return -1;
-}
-}
-
 if (ns->params.zoned) {
 if (ns->params.max_active_zones) {
 if (ns->params.max_open_zones > ns->params.max_active_zones) {
@@ -411,9 +396,9 @@ static int nvme_ns_check_constraints(NvmeCtrl *n, 
NvmeNamespace *ns,
 return 0;
 }
 
-int nvme_ns_setup(NvmeCtrl *n, NvmeNamespace *ns, Error **errp)
+int nvme_ns_setup(NvmeNamespace *ns, Error **errp)
 {
-if (nvme_ns_check_constraints(n, ns, errp)) {
+if (nvme_ns_check_constraints(ns, errp)) {
 return -1;
 }
 
@@ -465,7 +450,21 @@ static void nvme_ns_realize(DeviceState *dev, Error **errp)
 uint32_t nsid = ns->params.nsid;
 int i;
 
-if (nvme_ns_setup(n, ns, errp)) {
+if (!n->subsys) {
+if (ns->params.detached) {
+error_setg(errp, "detached requires that the nvme device is "
+   "linked to an nvme-subsys device");
+return;
+}
+
+if (ns->params.shared) {
+error_setg(errp, "shared requires that the nvme device is "
+   "linked to an nvme-subsys device");
+return;
+}
+}
+
+if (nvme_ns_setup(ns, errp)) {
 return;
 }
 
-- 
2.32.0

[PULL 2/6] hw/nvme: mark nvme-subsys non-hotpluggable

2021-07-11 Thread Klaus Jensen 
From: Klaus Jensen 

We currently lack the infrastructure to handle subsystem hotplugging, so
disable it.

Reviewed-by: Hannes Reinecke 
Signed-off-by: Klaus Jensen 
---
 hw/nvme/subsys.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/nvme/subsys.c b/hw/nvme/subsys.c
index 192223d17ca1..dc7a96862f37 100644
--- a/hw/nvme/subsys.c
+++ b/hw/nvme/subsys.c
@@ -61,6 +61,7 @@ static void nvme_subsys_class_init(ObjectClass *oc, void 
*data)
 
 dc->realize = nvme_subsys_realize;
 dc->desc = "Virtual NVMe subsystem";
+dc->hotpluggable = false;
 
 device_class_set_props(dc, nvme_subsystem_props);
 }
-- 
2.32.0

[PULL 0/6] hw/nvme patches

2021-07-11 Thread Klaus Jensen 
From: Klaus Jensen 

Hi Pater,

The following changes since commit 9516034d05a8c71ef157a59f525e4c4f7ed79827:

  Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-6.1-2' into 
staging (2021-07-11 14:32:49 +0100)

are available in the Git repository at:

  git://git.infradead.org/qemu-nvme.git tags/nvme-next-pull-request

for you to fetch changes up to 9cc1a34ec4fe7e89e44e460dcf50159e40962e59:

  hw/nvme: fix controller hot unplugging (2021-07-11 21:50:22 +0200)


hw/nvme patches

* new PMR test (Gollu Appalanaidu)
* pmr/sgl mapping fix (Padmakar Kalghatgi)
* hotplug fixes (me)



Gollu Appalanaidu (1):
  tests/qtest/nvme-test: add persistent memory region test

Klaus Jensen (4):
  hw/nvme: remove NvmeCtrl parameter from ns setup/check functions
  hw/nvme: mark nvme-subsys non-hotpluggable
  hw/nvme: unregister controller with subsystem at exit
  hw/nvme: fix controller hot unplugging

Padmakar Kalghatgi (1):
  hw/nvme: error handling for too many mappings

 hw/nvme/nvme.h  | 18 ++--
 hw/nvme/ctrl.c  | 27 ++
 hw/nvme/ns.c| 55 -
 hw/nvme/subsys.c|  9 ++
 tests/qtest/nvme-test.c | 61 -
 hw/nvme/trace-events|  1 +
 6 files changed, 137 insertions(+), 34 deletions(-)

-- 
2.32.0

Re: [PATCH v3 0/5] target/mips: Reintroduce the R5900 CPU

2021-07-11 Thread Philippe Mathieu-Daudé 
On 3/12/21 5:24 PM, Philippe Mathieu-Daudé wrote:
> I'm running out of time to address Richard's comments on the new
> opcodes, so let's KISS and only fix RDHWR (after adding LQ/SQ).
> 
> Missing review: 3 & 5
> - target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
> - tests/tcg/mips: Test user mode DMULT for the R5900
> 
> Based-on: mips-next
> Supersedes: <20210309145653.743937-1-f4...@amsat.org>
> 
> Fredrik Noring (1):
>   tests/tcg/mips: Test user mode DMULT for the R5900
> 
> Philippe Mathieu-Daudé (4):
>   target/mips/tx79: Introduce LQ opcode (Load Quadword)
>   target/mips/tx79: Introduce SQ opcode (Store Quadword)
>   target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
>   target/mips: Reintroduce the R5900 CPU

Patches 1 & 2 queued to mips-next.

Re: [RFC PATCH v2 00/22] target/mips: Reintroduce the R5900 CPU (without testing)

2021-07-11 Thread Philippe Mathieu-Daudé 
On 3/9/21 3:56 PM, Philippe Mathieu-Daudé wrote:
> First part (TCG, testing postponed) of RFC v1:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg782449.html
> 
> 3 patches can still be improved for performance, but the improvement
> is not yet addressed in this series. Other patches are good enough
> for review.
> 
> https://gitlab.com/philmd/qemu/-/commits/mips-r5900-v2
> Based-on: mips-next
> Supersedes: <20210214175912.732946-1-f4...@amsat.org>
> 
> Philippe Mathieu-Daudé (22):
>   target/mips/tx79: Move MFHI1 / MFLO1 opcodes to decodetree
>   target/mips/tx79: Move MTHI1 / MTLO1 opcodes to decodetree
>   target/mips/translate: Make gen_rdhwr() public
>   target/mips/translate: Simplify PCPYH using deposit_i64()
>   target/mips/tx79: Move PCPYH opcode to decodetree
>   target/mips/tx79: Move PCPYLD / PCPYUD opcodes to decodetree
>   target/mips: Remove 'C790 Multimedia Instructions' dead code
>   target/mips/tx79: Salvage instructions description comment
>   target/mips/tx79: Introduce PAND/POR/PXOR/PNOR opcodes (parallel
> logic)
>   target/mips/tx79: Introduce PSUB* opcodes (Parallel Subtract)
>   target/mips/tx79: Introduce PEXTUW (Parallel Extend Upper from Word)
>   target/mips/tx79: Introduce PEXTL[BHW] opcodes (Parallel Extend Lower)
>   target/mips/tx79: Introduce PCEQ* opcodes (Parallel Compare for Equal)
>   target/mips/tx79: Introduce PCGT* (Parallel Compare for Greater Than)
>   target/mips/tx79: Introduce PPACW opcode (Parallel Pack to Word)
>   target/mips/tx79: Introduce PINTEH (Parallel Interleave Even Halfword)
>   target/mips/tx79: Introduce PEXE[HW] opcodes (Parallel Exchange Even)
>   target/mips/tx79: Introduce PROT3W opcode (Parallel Rotate 3 Words)
>   target/mips/tx79: Introduce LQ opcode (Load Quadword)
>   target/mips/tx79: Introduce SQ opcode (Store Quadword)
>   target/mips/tx79: Move RDHWR usermode kludge to trans_SQ()
>   target/mips: Reintroduce the R5900 CPU

Patches 9-15 & 18 applied to mips-next.

About two-dimensional page translation (e.g., Intel EPT) and shadow page table in Linux QEMU/KVM

2021-07-11 Thread harry harry 
Hi all,

I hope you are very well! May I know whether it is possible to enable
two-dimensional page translation (e.g., Intel EPT) mechanisms and
shadow page table mechanisms in Linux QEMU/KVM at the same time on a
physical server? For example, if the physical server has 80 cores, is
it possible to let 40 cores use Intel EPT mechanisms for page
translation and the other 40 cores use shadow page table mechanisms?
Thanks!

Best,
Harry

Re: [PATCH v4 0/5] dp8393x: fixes and improvements

2021-07-11 Thread Mark Cave-Ayland 

On 11/07/2021 11:36, Philippe Mathieu-Daudé wrote:


Hi Mark,

This should be the last respin.

Since v3:
- dropped worrying patches
- squashed migration patch
- added tags

Patch #3 (dp8393x: Store CAM registers as 16-bit) still
misses your S-o-b tag.

Based-on mips-next.

Mark Cave-Ayland (1):
   dp8393x: don't force 32-bit register access

Philippe Mathieu-Daudé (4):
   dp8393x: Replace address_space_rw(is_write=1) by address_space_write()
   dp8393x: Replace 0x40 magic value by SONIC_REG16_COUNT definition
   dp8393x: Store CAM registers as 16-bit
   dp8393x: Rewrite dp8393x_get() / dp8393x_put()

  hw/net/dp8393x.c | 206 ---
  1 file changed, 87 insertions(+), 119 deletions(-)


Thanks Phil. A small typo in the subject line of patch 2, but otherwise this series 
passes my local tests (assuming "dp8393x: fix CAM descriptor entry index" is already 
applied to mips-next).


Tested-by: Mark Cave-Ayland 


ATB,

Mark.

Re: [PATCH v4 2/5] dp8393x: Replace 0x40 magic value by SONIC_REG16_COUNT definition

2021-07-11 Thread Mark Cave-Ayland 

On 11/07/2021 11:36, Philippe Mathieu-Daudé wrote:


Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Mark Cave-Ayland 
Tested-by: Finn Thain 
Message-Id: <20210710174954.2577195-3-f4...@amsat.org>
---
  hw/net/dp8393x.c | 7 ---
  1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 9118364aa33..d1e147a82a6 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -85,6 +85,7 @@ static const char *reg_names[] = {
  #define SONIC_MPT0x2e
  #define SONIC_MDT0x2f
  #define SONIC_DCR2   0x3f
+#define SONIC_REG_COUNT  0x40
  
  #define SONIC_CR_HTX 0x0001

  #define SONIC_CR_TXP 0x0002
@@ -158,7 +159,7 @@ struct dp8393xState {
  
  /* Registers */

  uint8_t cam[16][6];
-uint16_t regs[0x40];
+uint16_t regs[SONIC_REG_COUNT];
  
  /* Temporaries */

  uint8_t tx_buffer[0x1];
@@ -972,7 +973,7 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
  
  address_space_init(>as, s->dma_mr, "dp8393x");

  memory_region_init_io(>mmio, OBJECT(dev), _ops, s,
-  "dp8393x-regs", 0x40 << s->it_shift);
+  "dp8393x-regs", SONIC_REG_COUNT << s->it_shift);
  
  s->nic = qemu_new_nic(_dp83932_info, >conf,

object_get_typename(OBJECT(dev)), dev->id, s);
@@ -987,7 +988,7 @@ static const VMStateDescription vmstate_dp8393x = {
  .minimum_version_id = 0,
  .fields = (VMStateField []) {
  VMSTATE_BUFFER_UNSAFE(cam, dp8393xState, 0, 16 * 6),
-VMSTATE_UINT16_ARRAY(regs, dp8393xState, 0x40),
+VMSTATE_UINT16_ARRAY(regs, dp8393xState, SONIC_REG_COUNT),
  VMSTATE_END_OF_LIST()
  }
  };


I just noticed that the subject line is wrong here: the subject line mentions 
SONIC_REG16_COUNT whereas the variable name in the patch is SONIC_REG_COUNT. This is 
trivial enough to fix without resending the series though.



ATB,

Mark.

Re: [PULL 00/17] s390x update for softfreeze

2021-07-11 Thread Peter Maydell 
On Fri, 9 Jul 2021 at 16:23, Cornelia Huck  wrote:
>
> On Fri, Jul 09 2021, Peter Maydell  wrote:
>
> > On Thu, 8 Jul 2021 at 16:19, Cornelia Huck  wrote:
> >>
> >> The following changes since commit 
> >> 9aef0954195cc592e86846dbbe7f3c2c5603690a:
> >>
> >>   Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' 
> >> into staging (2021-07-06 11:24:58 +0100)
> >>
> >> are available in the Git repository at:
> >>
> >>   https://gitlab.com/cohuck/qemu.git tags/s390x-20210708
> >>
> >> for you to fetch changes up to 7ab3eb42b0d795f7321c4fca0ea06cb76a005b04:
> >>
> >>   target/s390x: split sysemu part of cpu models (2021-07-07 14:01:59 +0200)
> >>
> >> 
> >> s390x updates:
> >> - add gen16 cpumodels
> >> - refactor/cleanup some code
> >> - bugfixes
> >>
> >> 
> >>
> >
> > Hi -- this doesn't seem to be signed with the GPG key I have
> > on record for you. If I need to do an update, could you let me
> > know which keyserver you've uploaded to, please?
>
> Whoops, forgot to upload. Sent out to keys.openpgp.org right now.

I still can't see it -- can you double-check, please?

thanks
-- PMM

Re: clang build error on i686

2021-07-11 Thread Peter Maydell 
On Sun, 11 Jul 2021 at 16:17, Richard Henderson
 wrote:
>
> On 7/3/21 10:45 AM, Peter Maydell wrote:
> > On Sat, 3 Jul 2021 at 15:37, Cole Robinson  wrote:
> >>
> >> Hi, I'm hitting build errors with clang on i686 userspace on x86_64
> >> kernel. Affects both qemu 6.0.0 and qemu.git, tested with fedora
> >> clang-12.0.1~rc3-1.fc35.i686.
> >>
> >> Full build log from the 6.0.0 build:
> >> https://gist.githubusercontent.com/crobinso/7b1206044eac7326490b2adce829e861/raw/9dddef968051fd6383ba7adb9e595081ad4f8fa4/gistfile1.txt
> >>
> >> Lots of errors like:
> >>
> >> /usr/bin/ld: libqemu-aarch64-softmmu.fa.p/accel_tcg_cputlb.c.o: in
> >> function `helper_atomic_cmpxchgq_le_mmu':
> >> /builddir/build/BUILD/qemu-6.0.0/accel/tcg/atomic_template.h:86:
> >> undefined reference to `__atomic_compare_exchange_8'
> >> /usr/bin/ld: libqemu-aarch64-softmmu.fa.p/accel_tcg_cputlb.c.o: in
> >> function `helper_atomic_xchgq_le_mmu':
> >> /builddir/build/BUILD/qemu-6.0.0/accel/tcg/atomic_template.h:134:
> >> undefined reference to `__atomic_exchange_8'
> >>
> >> Also warnings like:
> >>
> >> /builddir/build/BUILD/qemu-6.0.0/include/qemu/stats64.h:58:21: warning:
> >> misaligned atomic operation may incur significant performance penalty;
> >> the expected alignment (8 bytes) exceeds the actual alignment (4 bytes)
> >> [-Watomic-alignment]
> >>  uint64_t orig = qatomic_read__nocheck(>value);
> >>  ^
> >> /builddir/build/BUILD/qemu-6.0.0/include/qemu/atomic.h:129:5: note:
> >> expanded from macro 'qatomic_read__nocheck'
> >>  __atomic_load_n(ptr, __ATOMIC_RELAXED)
> >
> > I think at least part of what is happening here is that this compiler/host
> > doesn't support native 64-bit atomics, but configure has selected
> > CONFIG_ATOMIC64 anyway.
>
> Not true.  The host certainly supports it.
>
> This is a new alignment warning in clang-12 wrt the alignment of the atomic 
> operation.
> Which may be complicated by the fact that the i386 abi does not normally 
> align structures
> beyond 4 bytes.
>
> We may need to disable this warning for i386 (but not x86_64).

The first part of the problem isn't just a warning, though -- it's clang
actually emitting calls to libatomic.

-- PMM

Re: [GIT PULL v2] I2C/IPMI bug fixes for QEMU 6.1

2021-07-11 Thread Peter Maydell 
On Fri, 9 Jul 2021 at 17:30, Corey Minyard  wrote:
>
> The following changes since commit 38848ce565849e5b867a5e08022b3c755039c11a:
>
>   Merge remote-tracking branch 
> 'remotes/pmaydell/tags/pull-target-arm-20210616' into staging (2021-06-16 
> 17:02:30 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/cminyard/qemu.git tags/for-qemu-6.1-2
>
> for you to fetch changes up to 7649086f455fe44bd076828749a93ab2a5bb0806:
>
>   tests/qtest: add tests for MAX34451 device model (2021-07-08 14:42:00 -0500)
>
> Changes from v1:
>
> For the 64-bit field in the PMBus patch, use BIT_ULL for the bits to
> fix compile issues on 32-bit hosts.
>
> I updated my testing to build and test on a 32-bit host, which proved to
> be a bit more challenging than I expected.  But compiled and tested
> there, too.
>
> Thank you,
>
> -corey
>
> 
> Some qemu updates for IPMI and I2C
>
> Move some ADC file to where they belong and move some sensors to a
> sensor directory, since with new BMCs coming in lots of different
> sensors should be coming in.  Keep from cluttering things up.
>
> Add support for I2C PMBus devices.
>
> Replace the confusing and error-prone i2c_send_recv and i2c_transfer with
> specific send and receive functions.  Several errors have already been
> made with these, avoid any new errors.
>
> Fix the watchdog_expired field in the IPMI watchdog, it's not a bool,
> it's a u8.  After a vmstate transfer, the new value could be wrong.
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

Re: [PATCH 1/3] qga-win: Increase VSS freeze timeout to 60 secs instead of 10

2021-07-11 Thread Konstantin Kostiuk 
ping

On Sun, Jul 4, 2021 at 8:52 AM Konstantin Kostiuk 
wrote:

> ping
>
> On Mon, Apr 5, 2021 at 4:14 PM Basil Salman  wrote:
>
>> Currently Requester freeze times out after 10 seconds, while
>> the default timeout for Writer Freeze is 60 seconds. according to
>> VSS Documentation [1].
>> [1]:
>> https://docs.microsoft.com/en-us/windows/win32/vss/overview-of-processing-a-backup-under-vss
>>
>> Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1909073
>>
>> Signed-off-by: Basil Salman 
>> Signed-off-by: Basil Salman 
>> ---
>>  qga/vss-win32/requester.cpp | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/qga/vss-win32/requester.cpp b/qga/vss-win32/requester.cpp
>> index 5378c55d23..940a2c8f55 100644
>> --- a/qga/vss-win32/requester.cpp
>> +++ b/qga/vss-win32/requester.cpp
>> @@ -18,7 +18,7 @@
>>  #include 
>>
>>  /* Max wait time for frozen event (VSS can only hold writes for 10
>> seconds) */
>> -#define VSS_TIMEOUT_FREEZE_MSEC 1
>> +#define VSS_TIMEOUT_FREEZE_MSEC 6
>>
>>  /* Call QueryStatus every 10 ms while waiting for frozen event */
>>  #define VSS_TIMEOUT_EVENT_MSEC 10
>> --
>> 2.17.2
>>
>>

[PULL 1/9] tests: Rename TestState to TPMTestState

2021-07-11 Thread Stefan Berger 
Signed-off-by: Stefan Berger 
Reviewed-by: Igor Mammedov 
Message-id: 20210708183814.925960-2-stef...@linux.vnet.ibm.com
---
 tests/qtest/bios-tables-test.c| 2 +-
 tests/qtest/tpm-crb-test.c| 4 ++--
 tests/qtest/tpm-emu.c | 6 +++---
 tests/qtest/tpm-emu.h | 6 +++---
 tests/qtest/tpm-tis-device-test.c | 2 +-
 tests/qtest/tpm-tis-test.c| 2 +-
 tests/qtest/tpm-tis-util.c| 2 +-
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 51d3a4e239..a622f91a37 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -1098,7 +1098,7 @@ static void test_acpi_tcg_tpm(const char *machine, const 
char *tpm_if,
 gchar *tmp_dir_name = g_strdup_printf("qemu-test_acpi_%s_tcg_%s.XX",
   machine, tpm_if);
 char *tmp_path = g_dir_make_tmp(tmp_dir_name, NULL);
-TestState test;
+TPMTestState test;
 test_data data;
 GThread *thread;
 char *args, *variant = g_strdup_printf(".%s", tpm_if);
diff --git a/tests/qtest/tpm-crb-test.c b/tests/qtest/tpm-crb-test.c
index ed533900d1..50936f1482 100644
--- a/tests/qtest/tpm-crb-test.c
+++ b/tests/qtest/tpm-crb-test.c
@@ -26,7 +26,7 @@ uint64_t tpm_tis_base_addr = TPM_TIS_ADDR_BASE;
 
 static void tpm_crb_test(const void *data)
 {
-const TestState *s = data;
+const TPMTestState *s = data;
 uint32_t intfid = readl(TPM_CRB_ADDR_BASE + A_CRB_INTF_ID);
 uint32_t csize = readl(TPM_CRB_ADDR_BASE + A_CRB_CTRL_CMD_SIZE);
 uint64_t caddr = readq(TPM_CRB_ADDR_BASE + A_CRB_CTRL_CMD_LADDR);
@@ -145,7 +145,7 @@ int main(int argc, char **argv)
 int ret;
 char *args, *tmp_path = g_dir_make_tmp("qemu-tpm-crb-test.XX", NULL);
 GThread *thread;
-TestState test;
+TPMTestState test;
 
 module_call_init(MODULE_INIT_QOM);
 g_test_init(, , NULL);
diff --git a/tests/qtest/tpm-emu.c b/tests/qtest/tpm-emu.c
index 2e8eb7b94f..b9cddcc240 100644
--- a/tests/qtest/tpm-emu.c
+++ b/tests/qtest/tpm-emu.c
@@ -18,7 +18,7 @@
 #include "qapi/error.h"
 #include "tpm-emu.h"
 
-void tpm_emu_test_wait_cond(TestState *s)
+void tpm_emu_test_wait_cond(TPMTestState *s)
 {
 gint64 end_time = g_get_monotonic_time() + 5 * G_TIME_SPAN_SECOND;
 
@@ -36,7 +36,7 @@ void tpm_emu_test_wait_cond(TestState *s)
 
 static void *tpm_emu_tpm_thread(void *data)
 {
-TestState *s = data;
+TPMTestState *s = data;
 QIOChannel *ioc = s->tpm_ioc;
 
 s->tpm_msg = g_new(struct tpm_hdr, 1);
@@ -71,7 +71,7 @@ static void *tpm_emu_tpm_thread(void *data)
 
 void *tpm_emu_ctrl_thread(void *data)
 {
-TestState *s = data;
+TPMTestState *s = data;
 QIOChannelSocket *lioc = qio_channel_socket_new();
 QIOChannel *ioc;
 
diff --git a/tests/qtest/tpm-emu.h b/tests/qtest/tpm-emu.h
index 73f3bed0c4..b066ad63fb 100644
--- a/tests/qtest/tpm-emu.h
+++ b/tests/qtest/tpm-emu.h
@@ -26,7 +26,7 @@ struct tpm_hdr {
 char buffer[];
 } QEMU_PACKED;
 
-typedef struct TestState {
+typedef struct TPMTestState {
 GMutex data_mutex;
 GCond data_cond;
 bool data_cond_signal;
@@ -34,9 +34,9 @@ typedef struct TestState {
 QIOChannel *tpm_ioc;
 GThread *emu_tpm_thread;
 struct tpm_hdr *tpm_msg;
-} TestState;
+} TPMTestState;
 
-void tpm_emu_test_wait_cond(TestState *s);
+void tpm_emu_test_wait_cond(TPMTestState *s);
 void *tpm_emu_ctrl_thread(void *data);
 
 #endif /* TESTS_TPM_EMU_H */
diff --git a/tests/qtest/tpm-tis-device-test.c 
b/tests/qtest/tpm-tis-device-test.c
index 63ed36440f..d36ae20243 100644
--- a/tests/qtest/tpm-tis-device-test.c
+++ b/tests/qtest/tpm-tis-device-test.c
@@ -33,7 +33,7 @@ int main(int argc, char **argv)
 {
 char *tmp_path = g_dir_make_tmp("qemu-tpm-tis-device-test.XX", NULL);
 GThread *thread;
-TestState test;
+TPMTestState test;
 char *args;
 int ret;
 
diff --git a/tests/qtest/tpm-tis-test.c b/tests/qtest/tpm-tis-test.c
index 79ffbc943e..6fee4779ea 100644
--- a/tests/qtest/tpm-tis-test.c
+++ b/tests/qtest/tpm-tis-test.c
@@ -29,7 +29,7 @@ int main(int argc, char **argv)
 int ret;
 char *args, *tmp_path = g_dir_make_tmp("qemu-tpm-tis-test.XX", NULL);
 GThread *thread;
-TestState test;
+TPMTestState test;
 
 module_call_init(MODULE_INIT_QOM);
 g_test_init(, , NULL);
diff --git a/tests/qtest/tpm-tis-util.c b/tests/qtest/tpm-tis-util.c
index 9aff503fd8..939893bf01 100644
--- a/tests/qtest/tpm-tis-util.c
+++ b/tests/qtest/tpm-tis-util.c
@@ -373,7 +373,7 @@ void tpm_tis_test_check_access_reg_release(const void *data)
  */
 void tpm_tis_test_check_transmit(const void *data)
 {
-const TestState *s = data;
+const TPMTestState *s = data;
 uint8_t access;
 uint32_t sts;
 uint16_t bcount;
-- 
2.31.1

[PULL 5/9] tests: acpi: tpm2: Add the renamed ACPI files and drop old ones

2021-07-11 Thread Stefan Berger 
Cc: Michael S. Tsirkin 
Cc: Igor Mammedov 
Signed-off-by: Stefan Berger 
Acked-by: Igor Mammedov 
Message-id: 20210708183814.925960-6-stef...@linux.vnet.ibm.com
---
 tests/data/acpi/q35/DSDT.tis| Bin 8465 -> 0 bytes
 tests/data/acpi/q35/DSDT.tis.tpm2   | Bin 0 -> 8465 bytes
 tests/data/acpi/q35/TPM2.tis| Bin 76 -> 0 bytes
 tests/data/acpi/q35/TPM2.tis.tpm2   | Bin 0 -> 76 bytes
 tests/qtest/bios-tables-test-allowed-diff.h |   2 --
 5 files changed, 2 deletions(-)
 delete mode 100644 tests/data/acpi/q35/DSDT.tis
 delete mode 100644 tests/data/acpi/q35/TPM2.tis

diff --git a/tests/data/acpi/q35/DSDT.tis b/tests/data/acpi/q35/DSDT.tis
deleted file mode 100644
index 
15a26a14e4be5280c0f1cc09f66428311100b7ab..
GIT binary patch
literal 0
HcmV?d1

literal 8465
zcmb7KOKcm*8J^`sS}vE;lA`5jBGz#qX@i84@u**@Y>mLF=l*P-f-(dq5MI`sqmp*oGU)qY^ycu3%1lqk6Sr+X$mAP(E?soQF
z%Xb?^vs-U?cIk7=G`p_Yi<{k&*J5V(T*G7ewb|}Q;3jTeW3G2$xxb$5?PM1$r_=n~
z>Q_srp8N2^tEJDL`Qqodu2~5HR`6@$cQv9-cs;b1!oKr~sPr)8NqGpN7NXr(%~m
zuQR7<3Y8VJ?pNAUr2%cEsSDZZN{w7vYoT@kHsaBP@Vn9!a#W{+jdQ>IT9J7wp
zjF5%QFlxqSb{W5?W60LoKhxYecfguo&{(FGJWV6i*Pb|CkZr0a|-8f{BE3?ryb7ucB}0kRFfW^Ki+l3B4(JUnejR^{f1j*
zdAo~WBif2hQvhw92?_IU`G)#B{ar36Hv}XNK912v2o6n6~q}a
zB{VLWfN~~6V#+MIa0Hh3li*AVO$eqe9-*o;sp(8|ri3O1Qx=a<)j6Z-oZ(CfozZn7
zRCUg3I%hSVv${@%s!mhWX=*x6T_-|SCvGuiq*I#Cl&%w@s?*YRTAEHv*NITonbvfs
zHJxc)Cqh*xZg%B-+L}*NITonbCA+G@Th;Cqh-{oThV5(>bT>M5yYV*L2QnI_Gtr
z2vwbqrqj`MI=W7Ts?MyYGpp&$>N*jsI&+%NoTf9U>qMyPT+nnbXgU{kod{K(c}-_t
z)0x+GB2;xA(R3csbRN-lB2;xQYC0D+or}6ogsM(hC9XdC96GA$JgVzNsOmhX={%g6V!864M)DPiV{&8uNtCM5r=PYRr=w^Q6v1s4`D!
z%u^ckl+Hw`G9S>G4`|E>bS6TT`5R?-Et-jRDqI#
zB9yL328vMXgnf}L@|f}LawZulLa7r5DzKah16818paRO7WS|J8P8g`bawZH^fs%m=C})y^B9uB|
zpaRR8Fi-_b1}dPONd}5g>V$y`EN8+%6(|{~fN~}oC_Az;Y%GRDqI#3Mglifg+STVW0xbnJ`cVN(L_XQ0jz%3M^;BKouw%sDN@N
z87M-j69y``0?L_Wpa`W-7$_peKoO}1
zicmFBgo=SGOcDEesTq99tMDB008Xpa|vIl7S+`
zT*!$oER^-_9{*S!&4(Q{nT}9ZwIposezTwKi=4MTPXlq#q6AwerJZI_*BR1>=w0INo*U@
z^(H@FuVQyh<7Viip`Au(QK7wXDOq3mD7p;YN=2$8YcVl>dGdzj$d7hu=6CDF8
z0o9c9*{;_J*c-HO?eUg*ns8x2xGf$Z?FOyDxV1B?fzng^D0_JFYdweJp+bko0w=Ptc=mJiQ~*%ZCSE
zD{#Au2}->!Kf`Z%{LpTditwz7J6c-NTdPP9$!ZsNYo>D}Q4WTHFKHnqEn`wVlO
zbe~CKcq^IcPP9$!ZsNYl>)qj1WuiOLHnqEn`{0P)9o}Cix)W_vyPLSK7xnJ=
zXq(#I#C3X9?+$M|6Wxh6y*uZmGO0ZuG|N~^z`B7Q$E3Ei@vNABuUi+tp3?SPl|Wvl
z7H&>>Q^xhr73wd&8vSzj7loH!eC4Ixm$zShg>?+qUpqUxS~HeaGrqLHv<(~6*6<{l
zW%^6ovO71vM?r}dT)(nzxQ+F|a9hpuhFkebkv3I>#a*}QnVlOsLdM;ovQ_}xE42%l
zYi_JJ%!pAVuKLxBTn`EoMP^E_-zXNBi}|ZoB$?tZ(*jsL~SiF+2&$uWd
z)p_XRV+lETPeMt+a2V~3HzQfZ!v2Zg_yLj-S@U7%yAwy&@UFOf0c6?
zf4;it2JX6fhz!$RuUyE*h7sG2jLRQ;x!z?XVwWQ$jM&!4YxcXn(73(3
zH{zu9kKP_{#cA38q@U_-Swp1xB${@-e`aFj=)6bUH>t)gw!4L@K6**7#sv|cbituDhaW4Mjc*a+jPpIZM(BPUED-psAu=m^kHtM+>M}ZA2Q6-ua=4a
zF?i9HDPt2^vGG=dUL9}5Fi)+n^XAiZP2>K@A8rp^*XDq(ZrlOQQahWrOorJ8dJoOd
zVO6l5CNXU1%GLZy+(ybI%*yxU@8;PzdCr?NCeLuRTicd19nH9I2Sc9Y$y{c{f
zM>D_iXq<35Ti!p7H
z(8MC)AH@;&2kppbSUtQaj(qm)tsh`vanze=BgxA8t@)db{<
zbydD*S%O^gtfO}2At#pF(!!GYL#{AWm@#Pe^5Ki11gqWLOu|6t*nhm6GZR+K!b}>X
zC+G-O;{53AVeITbTD{;3^T}*hn&)sXR|t(ILp6(?OgaxIq@^nlR!8|x-Ee!=%!e6vY=${96nf(Gdv;t0%(cCzH-psGG
z{pxzEpL+lH4(60l6G4~R%Qo}x+}mLz^s<50syX0Wl)REl(0F2RHJ79lp06D1dO_3f
z*YaYS`}hC*`!gq>{PX(Y%ucZ)$k-Mh*L*`yU48gPND#vrr&=ql?!(z|NKu-bl&
z;Sor+gj+a#eaphU-oS`Ll)o84UaN^^;~xVY?;pXUctq_tsS<;ss^&`nq23jAB%4mEpBPv%fUjD~h{lEk1lXSh^Sk_3A8&>Hbo%geQ51a_!6rE01c
zb%_?pG^Cc}=+x9Z9q@hz*|@>*6z2ae@UM3G)WTnPtM8two*qi1!yT
Mh>{=D$sDl%17maSY5)KL

diff --git a/tests/data/acpi/q35/DSDT.tis.tpm2 
b/tests/data/acpi/q35/DSDT.tis.tpm2
index 
e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..15a26a14e4be5280c0f1cc09f66428311100b7ab
 100644
GIT binary patch
literal 8465
zcmb7KOKcm*8J^`sS}vE;lA`5jBGz#qX@i84@u**@Y>mLF=l*P-f-(dq5MI`sqmp*oGU)qY^ycu3%1lqk6Sr+X$mAP(E?soQF
z%Xb?^vs-U?cIk7=G`p_Yi<{k&*J5V(T*G7ewb|}Q;3jTeW3G2$xxb$5?PM1$r_=n~
z>Q_srp8N2^tEJDL`Qqodu2~5HR`6@$cQv9-cs;b1!oKr~sPr)8NqGpN7NXr(%~m
zuQR7<3Y8VJ?pNAUr2%cEsSDZZN{w7vYoT@kHsaBP@Vn9!a#W{+jdQ>IT9J7wp
zjF5%QFlxqSb{W5?W60LoKhxYecfguo&{(FGJWV6i*Pb|CkZr0a|-8f{BE3?ryb7ucB}0kRFfW^Ki+l3B4(JUnejR^{f1j*
zdAo~WBif2hQvhw92?_IU`G)#B{ar36Hv}XNK912v2o6n6~q}a
zB{VLWfN~~6V#+MIa0Hh3li*AVO$eqe9-*o;sp(8|ri3O1Qx=a<)j6Z-oZ(CfozZn7
zRCUg3I%hSVv${@%s!mhWX=*x6T_-|SCvGuiq*I#Cl&%w@s?*YRTAEHv*NITonbvfs
zHJxc)Cqh*xZg%B-+L}*NITonbCA+G@Th;Cqh-{oThV5(>bT>M5yYV*L2QnI_Gtr
z2vwbqrqj`MI=W7Ts?MyYGpp&$>N*jsI&+%NoTf9U>qMyPT+nnbXgU{kod{K(c}-_t
z)0x+GB2;xA(R3csbRN-lB2;xQYC0D+or}6ogsM(hC9XdC96GA$JgVzNsOmhX={%g6V!864M)DPiV{&8uNtCM5r=PYRr=w^Q6v1s4`D!
z%u^ckl+Hw`G9S>G4`|E>bS6TT`5R?-Et-jRDqI#
zB9yL328vMXgnf}L@|f}LawZulLa7r5DzKah16818paRO7WS|J8P8g`bawZH^fs%m=C})y^B9uB|
zpaRR8Fi-_b1}dPONd}5g>V$y`EN8+%6(|{~fN~}oC_Az;Y%GRDqI#3Mglifg+STVW0xbnJ`cVN(L_XQ0jz%3M^;BKouw%sDN@N
z87M-j69y``0?L_Wpa`W-7$_peKoO}1
zicmFBgo=SGOcDEesTq99tMDB008Xpa|vIl7S+`
zT*!$oER^-_9{*S!&4(Q{nT}9ZwIposezTwKi=4MTPXlq#q6AwerJZI_*BR1>=w0INo*U@
z^(H@FuVQyh<7Viip`Au(QK7wXDOq3mD7p;YN=2$8YcVl>dGdzj$d7hu=6CDF8
z0o9c9*{;_J*c-HO?eUg*ns8x2xGf$Z?FOyDxV1B?fzng^D0_JFYdweJp+bko0w=Ptc=mJiQ~*%ZCSE

[PULL 0/9] Merge tpm 2021/07/11 v1

2021-07-11 Thread Stefan Berger 
This series extends TPM-related ACPI test cases to also verify the TPM 1.2
ACPI table 'TCPA'.

   Stefan

The following changes since commit 9db3065c62a983286d06c207f4981408cf42184d:

  Merge remote-tracking branch 
'remotes/vivier2/tags/linux-user-for-6.1-pull-request' into staging (2021-07-08 
16:30:18 +0100)

are available in the Git repository at:

  git://github.com/stefanberger/qemu-tpm.git tags/pull-tpm-2021-07-11-1

for you to fetch changes up to a1b5cc4a84164bc36d355853a11b706ed52bce15:

  tests: acpi: tpm1.2: Add expected TPM 1.2 ACPI blobs (2021-07-09 09:13:16 
-0400)


Stefan Berger (9):
  tests: Rename TestState to TPMTestState
  tests: Add tpm_version field to TPMTestState and fill it
  tests: acpi: Prepare for renaming of TPM2 related ACPI files
  tests: Add suffix 'tpm2' or 'tpm12' to ACPI table files
  tests: acpi: tpm2: Add the renamed ACPI files and drop old ones
  tests: tpm: Create TPM 1.2 response in TPM emulator
  tests: acpi: prepare for new TPM 1.2 related tables
  tests: acpi: Add test cases for TPM 1.2 with TCPA table
  tests: acpi: tpm1.2: Add expected TPM 1.2 ACPI blobs

 tests/data/acpi/q35/DSDT.tis.tpm12  | Bin 0 -> 8465 bytes
 tests/data/acpi/q35/{DSDT.tis => DSDT.tis.tpm2} | Bin
 tests/data/acpi/q35/TCPA.tis.tpm12  | Bin 0 -> 50 bytes
 tests/data/acpi/q35/{TPM2.tis => TPM2.tis.tpm2} | Bin
 tests/qtest/bios-tables-test.c  |  20 ++--
 tests/qtest/tpm-crb-test.c  |   5 +++--
 tests/qtest/tpm-emu.c   |  24 ++--
 tests/qtest/tpm-emu.h   |  11 ---
 tests/qtest/tpm-tis-device-test.c   |   3 ++-
 tests/qtest/tpm-tis-test.c  |   3 ++-
 tests/qtest/tpm-tis-util.c  |   2 +-
 11 files changed, 48 insertions(+), 20 deletions(-)
 create mode 100644 tests/data/acpi/q35/DSDT.tis.tpm12
 rename tests/data/acpi/q35/{DSDT.tis => DSDT.tis.tpm2} (100%)
 create mode 100644 tests/data/acpi/q35/TCPA.tis.tpm12
 rename tests/data/acpi/q35/{TPM2.tis => TPM2.tis.tpm2} (100%)

-- 
2.31.1

Re: [PATCH] qga-win: Add support of Windows Server 2022 in get-osinfo command

2021-07-11 Thread Konstantin Kostiuk 
ping

On Sun, Jul 4, 2021 at 8:51 AM Konstantin Kostiuk 
wrote:

> ping
>
> On Mon, Jun 21, 2021 at 3:50 PM Kostiantyn Kostiuk 
> wrote:
>
>> Signed-off-by: Kostiantyn Kostiuk 
>> ---
>>  qga/commands-win32.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/qga/commands-win32.c b/qga/commands-win32.c
>> index 300b87c859..93b08fd4b5 100644
>> --- a/qga/commands-win32.c
>> +++ b/qga/commands-win32.c
>> @@ -2209,9 +2209,10 @@ typedef struct _ga_win_10_0_server_t {
>>  char const *version_id;
>>  } ga_win_10_0_server_t;
>>
>> -static ga_win_10_0_server_t const WIN_10_0_SERVER_VERSION_MATRIX[3] = {
>> +static ga_win_10_0_server_t const WIN_10_0_SERVER_VERSION_MATRIX[4] = {
>>  {14393, "Microsoft Windows Server 2016","2016"},
>>  {17763, "Microsoft Windows Server 2019","2019"},
>> +{20344, "Microsoft Windows Server 2022","2022"},
>>  {0, 0}
>>  };
>>
>> --
>> 2.25.1
>>
>

[PULL 6/9] tests: tpm: Create TPM 1.2 response in TPM emulator

2021-07-11 Thread Stefan Berger 
Signed-off-by: Stefan Berger 
Acked-by: Igor Mammedov 
Message-id: 20210708183814.925960-7-stef...@linux.vnet.ibm.com
---
 tests/qtest/tpm-emu.c | 5 +
 tests/qtest/tpm-emu.h | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/tests/qtest/tpm-emu.c b/tests/qtest/tpm-emu.c
index 8baf49eafd..32c704194b 100644
--- a/tests/qtest/tpm-emu.c
+++ b/tests/qtest/tpm-emu.c
@@ -62,6 +62,11 @@ static void *tpm_emu_tpm_thread(void *data)
 s->tpm_msg->len = cpu_to_be32(sizeof(struct tpm_hdr));
 s->tpm_msg->code = cpu_to_be32(TPM_RC_FAILURE);
 break;
+case TPM_VERSION_1_2:
+s->tpm_msg->tag = cpu_to_be16(TPM_TAG_RSP_COMMAND);
+s->tpm_msg->len = cpu_to_be32(sizeof(struct tpm_hdr));
+s->tpm_msg->code = cpu_to_be32(TPM_FAIL);
+break;
 default:
 g_debug("unsupport TPM version %u", s->tpm_version);
 g_assert_not_reached();
diff --git a/tests/qtest/tpm-emu.h b/tests/qtest/tpm-emu.h
index f7b1e3c6ab..b5354ea101 100644
--- a/tests/qtest/tpm-emu.h
+++ b/tests/qtest/tpm-emu.h
@@ -16,6 +16,9 @@
 #define TPM_RC_FAILURE 0x101
 #define TPM2_ST_NO_SESSIONS 0x8001
 
+#define TPM_FAIL 9
+#define TPM_TAG_RSP_COMMAND 0xc4
+
 #include "qemu/sockets.h"
 #include "io/channel.h"
 #include "sysemu/tpm.h"
-- 
2.31.1

[PULL 2/9] tests: Add tpm_version field to TPMTestState and fill it

2021-07-11 Thread Stefan Berger 
Signed-off-by: Stefan Berger 
Reviewed-by: Igor Mammedov 
Message-id: 20210708183814.925960-3-stef...@linux.vnet.ibm.com
---
 tests/qtest/bios-tables-test.c|  5 +++--
 tests/qtest/tpm-crb-test.c|  1 +
 tests/qtest/tpm-emu.c | 13 ++---
 tests/qtest/tpm-emu.h |  2 ++
 tests/qtest/tpm-tis-device-test.c |  1 +
 tests/qtest/tpm-tis-test.c|  1 +
 6 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index a622f91a37..93c9d306b5 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -1092,7 +1092,7 @@ static void test_acpi_piix4_tcg_numamem(void)
 uint64_t tpm_tis_base_addr;
 
 static void test_acpi_tcg_tpm(const char *machine, const char *tpm_if,
-  uint64_t base)
+  uint64_t base, enum TPMVersion tpm_version)
 {
 #ifdef CONFIG_TPM
 gchar *tmp_dir_name = g_strdup_printf("qemu-test_acpi_%s_tcg_%s.XX",
@@ -1113,6 +1113,7 @@ static void test_acpi_tcg_tpm(const char *machine, const 
char *tpm_if,
 g_mutex_init(_mutex);
 g_cond_init(_cond);
 test.data_cond_signal = false;
+test.tpm_version = tpm_version;
 
 thread = g_thread_new(NULL, tpm_emu_ctrl_thread, );
 tpm_emu_test_wait_cond();
@@ -1145,7 +1146,7 @@ static void test_acpi_tcg_tpm(const char *machine, const 
char *tpm_if,
 
 static void test_acpi_q35_tcg_tpm_tis(void)
 {
-test_acpi_tcg_tpm("q35", "tis", 0xFED4);
+test_acpi_tcg_tpm("q35", "tis", 0xFED4, TPM_VERSION_2_0);
 }
 
 static void test_acpi_tcg_dimm_pxm(const char *machine)
diff --git a/tests/qtest/tpm-crb-test.c b/tests/qtest/tpm-crb-test.c
index 50936f1482..7b94453390 100644
--- a/tests/qtest/tpm-crb-test.c
+++ b/tests/qtest/tpm-crb-test.c
@@ -156,6 +156,7 @@ int main(int argc, char **argv)
 g_mutex_init(_mutex);
 g_cond_init(_cond);
 test.data_cond_signal = false;
+test.tpm_version = TPM_VERSION_2_0;
 
 thread = g_thread_new(NULL, tpm_emu_ctrl_thread, );
 tpm_emu_test_wait_cond();
diff --git a/tests/qtest/tpm-emu.c b/tests/qtest/tpm-emu.c
index b9cddcc240..8baf49eafd 100644
--- a/tests/qtest/tpm-emu.c
+++ b/tests/qtest/tpm-emu.c
@@ -56,9 +56,16 @@ static void *tpm_emu_tpm_thread(void *data)
 s->tpm_msg->code = be32_to_cpu(s->tpm_msg->code);
 
 /* reply error */
-s->tpm_msg->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
-s->tpm_msg->len = cpu_to_be32(sizeof(struct tpm_hdr));
-s->tpm_msg->code = cpu_to_be32(TPM_RC_FAILURE);
+switch (s->tpm_version) {
+case TPM_VERSION_2_0:
+s->tpm_msg->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS);
+s->tpm_msg->len = cpu_to_be32(sizeof(struct tpm_hdr));
+s->tpm_msg->code = cpu_to_be32(TPM_RC_FAILURE);
+break;
+default:
+g_debug("unsupport TPM version %u", s->tpm_version);
+g_assert_not_reached();
+}
 qio_channel_write(ioc, (char *)s->tpm_msg, 
be32_to_cpu(s->tpm_msg->len),
   _abort);
 }
diff --git a/tests/qtest/tpm-emu.h b/tests/qtest/tpm-emu.h
index b066ad63fb..f7b1e3c6ab 100644
--- a/tests/qtest/tpm-emu.h
+++ b/tests/qtest/tpm-emu.h
@@ -18,6 +18,7 @@
 
 #include "qemu/sockets.h"
 #include "io/channel.h"
+#include "sysemu/tpm.h"
 
 struct tpm_hdr {
 uint16_t tag;
@@ -34,6 +35,7 @@ typedef struct TPMTestState {
 QIOChannel *tpm_ioc;
 GThread *emu_tpm_thread;
 struct tpm_hdr *tpm_msg;
+enum TPMVersion tpm_version;
 } TPMTestState;
 
 void tpm_emu_test_wait_cond(TPMTestState *s);
diff --git a/tests/qtest/tpm-tis-device-test.c 
b/tests/qtest/tpm-tis-device-test.c
index d36ae20243..3ddefb51ec 100644
--- a/tests/qtest/tpm-tis-device-test.c
+++ b/tests/qtest/tpm-tis-device-test.c
@@ -46,6 +46,7 @@ int main(int argc, char **argv)
 g_mutex_init(_mutex);
 g_cond_init(_cond);
 test.data_cond_signal = false;
+test.tpm_version = TPM_VERSION_2_0;
 
 thread = g_thread_new(NULL, tpm_emu_ctrl_thread, );
 tpm_emu_test_wait_cond();
diff --git a/tests/qtest/tpm-tis-test.c b/tests/qtest/tpm-tis-test.c
index 6fee4779ea..a4a25ba745 100644
--- a/tests/qtest/tpm-tis-test.c
+++ b/tests/qtest/tpm-tis-test.c
@@ -40,6 +40,7 @@ int main(int argc, char **argv)
 g_mutex_init(_mutex);
 g_cond_init(_cond);
 test.data_cond_signal = false;
+test.tpm_version = TPM_VERSION_2_0;
 
 thread = g_thread_new(NULL, tpm_emu_ctrl_thread, );
 tpm_emu_test_wait_cond();
-- 
2.31.1

[PULL 8/9] tests: acpi: Add test cases for TPM 1.2 with TCPA table

2021-07-11 Thread Stefan Berger 
Cc: Michael S. Tsirkin 
Cc: Igor Mammedov 
Signed-off-by: Stefan Berger 
Reviewed-by: Igor Mammedov 
Message-id: 20210708183814.925960-9-stef...@linux.vnet.ibm.com
---
 tests/qtest/bios-tables-test.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 4ccbe56158..ddfd2d2b2a 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -1145,11 +1145,16 @@ static void test_acpi_tcg_tpm(const char *machine, 
const char *tpm_if,
 #endif
 }
 
-static void test_acpi_q35_tcg_tpm_tis(void)
+static void test_acpi_q35_tcg_tpm2_tis(void)
 {
 test_acpi_tcg_tpm("q35", "tis", 0xFED4, TPM_VERSION_2_0);
 }
 
+static void test_acpi_q35_tcg_tpm12_tis(void)
+{
+test_acpi_tcg_tpm("q35", "tis", 0xFED4, TPM_VERSION_1_2);
+}
+
 static void test_acpi_tcg_dimm_pxm(const char *machine)
 {
 test_data data;
@@ -1518,7 +1523,8 @@ int main(int argc, char *argv[])
 return ret;
 }
 qtest_add_func("acpi/q35/oem-fields", test_acpi_oem_fields_q35);
-qtest_add_func("acpi/q35/tpm-tis", test_acpi_q35_tcg_tpm_tis);
+qtest_add_func("acpi/q35/tpm2-tis", test_acpi_q35_tcg_tpm2_tis);
+qtest_add_func("acpi/q35/tpm12-tis", test_acpi_q35_tcg_tpm12_tis);
 qtest_add_func("acpi/piix4", test_acpi_piix4_tcg);
 qtest_add_func("acpi/oem-fields", test_acpi_oem_fields_pc);
 qtest_add_func("acpi/piix4/bridge", test_acpi_piix4_tcg_bridge);
-- 
2.31.1

[PULL 3/9] tests: acpi: Prepare for renaming of TPM2 related ACPI files

2021-07-11 Thread Stefan Berger 
Cc: Michael S. Tsirkin 
Cc: Igor Mammedov 
Signed-off-by: Stefan Berger 
Reviewed-by: Igor Mammedov 
Message-id: 20210708183814.925960-4-stef...@linux.vnet.ibm.com
---
 tests/data/acpi/q35/DSDT.tis.tpm2   | 0
 tests/data/acpi/q35/TPM2.tis.tpm2   | 0
 tests/qtest/bios-tables-test-allowed-diff.h | 2 ++
 3 files changed, 2 insertions(+)
 create mode 100644 tests/data/acpi/q35/DSDT.tis.tpm2
 create mode 100644 tests/data/acpi/q35/TPM2.tis.tpm2

diff --git a/tests/data/acpi/q35/DSDT.tis.tpm2 
b/tests/data/acpi/q35/DSDT.tis.tpm2
new file mode 100644
index 00..e69de29bb2
diff --git a/tests/data/acpi/q35/TPM2.tis.tpm2 
b/tests/data/acpi/q35/TPM2.tis.tpm2
new file mode 100644
index 00..e69de29bb2
diff --git a/tests/qtest/bios-tables-test-allowed-diff.h 
b/tests/qtest/bios-tables-test-allowed-diff.h
index dfb8523c8b..b301b8fa06 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1 +1,3 @@
 /* List of comma-separated changed AML files to ignore */
+"tests/data/acpi/q35/DSDT.tis.tpm2",
+"tests/data/acpi/q35/TPM2.tis.tpm2",
-- 
2.31.1

[PULL 9/9] tests: acpi: tpm1.2: Add expected TPM 1.2 ACPI blobs

2021-07-11 Thread Stefan Berger 
The TCPA.tis.tpm12 file contains the following:

[000h    4]Signature : "TCPA"[Trusted Computing 
Platform Alliance table]
[004h 0004   4] Table Length : 0032
[008h 0008   1] Revision : 02
[009h 0009   1] Checksum : 32
[00Ah 0010   6]   Oem ID : "BOCHS "
[010h 0016   8] Oem Table ID : "BXPC"
[018h 0024   4] Oem Revision : 0001
[01Ch 0028   4]  Asl Compiler ID : "BXPC"
[020h 0032   4]Asl Compiler Revision : 0001

[024h 0036   2]   Platform Class : 
[026h 0038   4] Min Event Log Length : 0001
[02Ah 0042   8]Event Log Address : 07FF

Cc: Michael S. Tsirkin 
Cc: Igor Mammedov 
Signed-off-by: Stefan Berger 
Acked-by: Igor Mammedov 
Message-id: 20210708183814.925960-10-stef...@linux.vnet.ibm.com
---
 tests/data/acpi/q35/DSDT.tis.tpm12  | Bin 0 -> 8465 bytes
 tests/data/acpi/q35/TCPA.tis.tpm12  | Bin 0 -> 50 bytes
 tests/qtest/bios-tables-test-allowed-diff.h |   2 --
 3 files changed, 2 deletions(-)

diff --git a/tests/data/acpi/q35/DSDT.tis.tpm12 
b/tests/data/acpi/q35/DSDT.tis.tpm12
index 
e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..4178162b0b20b2a4a391daa73264963c28a99a3a
 100644
GIT binary patch
literal 8465

[PULL 4/9] tests: Add suffix 'tpm2' or 'tpm12' to ACPI table files

2021-07-11 Thread Stefan Berger 
Cc: Michael S. Tsirkin 
Cc: Igor Mammedov 
Signed-off-by: Stefan Berger 
Reviewed-by: Igor Mammedov 
Message-id: 20210708183814.925960-5-stef...@linux.vnet.ibm.com
---
 tests/qtest/bios-tables-test.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 93c9d306b5..4ccbe56158 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -1101,7 +1101,8 @@ static void test_acpi_tcg_tpm(const char *machine, const 
char *tpm_if,
 TPMTestState test;
 test_data data;
 GThread *thread;
-char *args, *variant = g_strdup_printf(".%s", tpm_if);
+const char *suffix = tpm_version == TPM_VERSION_2_0 ? "tpm2" : "tpm12";
+char *args, *variant = g_strdup_printf(".%s.%s", tpm_if, suffix);
 
 tpm_tis_base_addr = base;
 
-- 
2.31.1

[PULL 7/9] tests: acpi: prepare for new TPM 1.2 related tables

2021-07-11 Thread Stefan Berger 
Cc: Michael S. Tsirkin 
Cc: Igor Mammedov 
Signed-off-by: Stefan Berger 
Acked-by: Igor Mammedov 
Message-id: 20210708183814.925960-8-stef...@linux.vnet.ibm.com
---
 tests/data/acpi/q35/DSDT.tis.tpm12  | 0
 tests/data/acpi/q35/TCPA.tis.tpm12  | 0
 tests/qtest/bios-tables-test-allowed-diff.h | 2 ++
 3 files changed, 2 insertions(+)
 create mode 100644 tests/data/acpi/q35/DSDT.tis.tpm12
 create mode 100644 tests/data/acpi/q35/TCPA.tis.tpm12

diff --git a/tests/data/acpi/q35/DSDT.tis.tpm12 
b/tests/data/acpi/q35/DSDT.tis.tpm12
new file mode 100644
index 00..e69de29bb2
diff --git a/tests/data/acpi/q35/TCPA.tis.tpm12 
b/tests/data/acpi/q35/TCPA.tis.tpm12
new file mode 100644
index 00..e69de29bb2
diff --git a/tests/qtest/bios-tables-test-allowed-diff.h 
b/tests/qtest/bios-tables-test-allowed-diff.h
index dfb8523c8b..fb093b32b9 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1 +1,3 @@
 /* List of comma-separated changed AML files to ignore */
+"tests/data/acpi/q35/DSDT.tis.tpm12",
+"tests/data/acpi/q35/TCPA.tis.tpm12",
-- 
2.31.1

Re: intermittent hang in qos-test for qemu-system-i386 on 32-bit arm host

2021-07-11 Thread Peter Maydell 
On Sat, 10 Jul 2021 at 14:30, Peter Maydell  wrote:
>
> I've noticed recently that intermittently 'make check' will hang on
> my aarch32 test system (really an aarch64 box with an aarch32 chroot).
>
> I think from grep that this must be the vhost-user-blk test.

I've also now seen this on qemu-system-i386 guest x86-64 Linux host:

Process tree:
petmay01 28992  0.0  0.0 123812  8612 ?Sl   14:46   0:01
   \_ tests/qtest/qos-test --tap -k -m quick
petmay01 30068  0.0  0.0 379204 20580 ?Sl   14:46   0:00
   |   \_ ./storage-daemon/qemu-storage-daemon
--blockdev driver=file,node-name=disk0,filename=qtest.6kY6px --export
type=vhost-user-blk,id=disk0,addr.type=unix,addr.path=/tmp/qtest-28992-sock.4Kgtk1,node-name=disk0,writable=on,num-queues=1
petmay01 30070  0.0  0.1 1083248 63748 ?   Sl   14:46   0:00
   |   \_ ./qemu-system-i386 -qtest
unix:/tmp/qtest-28992.sock -qtest-log /dev/null -chardev
socket,path=/tmp/qtest-28992.qmp,id=char0 -mon
chardev=char0,mode=control -display none -M pc -device
vhost-user-blk-pci,id=drv0,chardev=char1,addr=4.0 -object
memory-backend-memfd,id=mem,size=256M,share=on -M memory-backend=mem
-m 256M -chardev socket,id=char1,path=/tmp/qtest-28992-sock.4Kgtk1
-accel qtest


Backtrace, qos-test:
(gdb) thread apply all bt

Thread 2 (Thread 0x7fd086f1c700 (LWP 28995)):
#0  syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1  0x56448599484b in qemu_futex_wait (val=,
f=)
at /mnt/nvmedisk/linaro/qemu-for-merges/include/qemu/futex.h:29
#2  qemu_event_wait (ev=ev@entry=0x564485c322e8 )
at ../../util/qemu-thread-posix.c:480
#3  0x56448599dc18 in call_rcu_thread (opaque=opaque@entry=0x0) at
../../util/rcu.c:258
#4  0x564485993966 in qemu_thread_start (args=)
at ../../util/qemu-thread-posix.c:541
#5  0x7fd088b446db in start_thread (arg=0x7fd086f1c700) at
pthread_create.c:463
#6  0x7fd08886d71f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7fd089d9a900 (LWP 28992)):
#0  0x7fd088b4e474 in __libc_read (fd=6,
buf=buf@entry=0x7fff05f024f0, nbytes=nbytes@entry=1024)
at ../sysdeps/unix/sysv/linux/read.c:27
#1  0x564485947cb2 in read (__nbytes=1024, __buf=0x7fff05f024f0,
__fd=)
at /usr/include/x86_64-linux-gnu/bits/unistd.h:44
#2  qtest_client_socket_recv_line (s=0x5644866f38b0) at
../../tests/qtest/libqtest.c:494
#3  0x564485947e61 in qtest_rsp_args (s=s@entry=0x5644866f38b0,
expected_args=expected_args@entry=1) at ../../tests/qtest/libqtest.c:521
#4  0x56448594846f in qtest_query_target_endianness (s=0x5644866f38b0)
at ../../tests/qtest/libqtest.c:570
#5  0x564485948ed2 in qtest_init_without_qmp_handshake
(extra_args=)
at ../../tests/qtest/libqtest.c:332
#6  0x564485949616 in qtest_init (extra_args=) at
../../tests/qtest/libqtest.c:339
#7  0x5644859338cd in qtest_start (
args=0x5644866f6d00 "-M pc  -device
vhost-user-blk-pci,id=drv0,chardev=char1,addr=4.0 -object
memory-backend-memfd,id=mem,size=256M,share=on  -M memory-backend=mem
-m 256M -chardev socket,id=char1,path=/tmp/qtest-28992-so"...) at
../../tests/qtest/libqtest-single.h:29
#8  restart_qemu_or_continue (
path=0x5644866f6d00 "-M pc  -device
vhost-user-blk-pci,id=drv0,chardev=char1,addr=4.0 -object
memory-backend-memfd,id=mem,size=256M,share=on  -M memory-backend=mem
-m 256M -chardev socket,id=char1,path=/tmp/qtest-28992-so"...) at
../../tests/qtest/qos-test.c:105
#9  run_one_test (arg=) at ../../tests/qtest/qos-test.c:178
#10 0x7fd08990c05a in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x7fd08990bf8b in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x7fd08990c232 in g_test_run_suite () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x7fd08990c251 in g_test_run () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x564485932359 in main (argc=, argv=, envp=)
at ../../tests/qtest/qos-test.c:338

Backtrace, qemu-system-i386:Thread 4 (Thread 0x7f965ac7f700 (LWP 30079)):
#0  0x7f9674b6938c in __GI___sigtimedwait (set=,
set@entry=0x7f965ac7c090, info=info@entry=0x7f965ac7bfd0,
timeout=timeout@entry=0x0)
at ../sysdeps/unix/sysv/linux/sigtimedwait.c:42
#1  0x7f9674f2c54c in __sigwait (set=set@entry=0x7f965ac7c090,
sig=sig@entry=0x7f965ac7c08c)
at ../sysdeps/unix/sysv/linux/sigwait.c:28
#2  0x55c2a04af6b3 in dummy_cpu_thread_fn (arg=arg@entry=0x55c2a1727aa0)
at

Re: [PATCH 0/4] support dirtyrate measurement with dirty bitmap

2021-07-11 Thread Hyman Huang 




在 2021/7/10 2:20, Peter Xu 写道:

Yong,

On Sun, Jun 27, 2021 at 01:38:13PM +0800, huang...@chinatelecom.cn wrote:

From: Hyman Huang(黄勇) 

the dirtyrate measurement implemented by page-sampling originally, it
is not accurate in some scenarios, so we have introduced dirty-ring
based dirtyrate measurement(maybe it will be merged soon), it fix the
accuracy of page-sampling, and more importantly, it is at the
granualrity of vcpu.

dirty-ring method can be used when dirty-ring enable, as supplementary,
we introduce dirty-bitmap method to calculating dirtyrate when dirty log
enable, so that we can also get the accurate dirtyrate if needed in the
absence of dirty-ring.

three things has done to implement the measurement:
- introduce a fresh new dirty bits named DIRTY_MEMORY_DIRTY_RATE, which
   is used to store dirty bitmap after fetching it from kvm. why we do
   not reuse the existing DIRTY_MEMORY_MIGRATION dirty bits is we do not
   want to interfere with migration of and let implementation clear, this
   is also the reason why dirty_memory be split.

   DIRTY_MEMORY_DIRTY_RATE dirty bits will be filled when
   memory_global_dirty_log_sync executed if GLOBAL_DIRTY_DIRTY_RATE bit
   be set in the global_dirty_tracking flag.


I'm not 100% sure this is needed.

Dirty rate measurements do not care about which page is dirtied, it looks like
an overkill to introduce a new bitmap for it.
indeed, dirty rate measurements only cares about the increased dirty 
pages number during calculation time.


IMHO we can directly do the calculation when synchronizing the dirty bits in
below functions:

 cpu_physical_memory_set_dirty_range
 cpu_physical_memory_set_dirty_lebitmap
 cpu_physical_memory_sync_dirty_bitmap

Maybe we can define a global statistics for that?
uhhh... Do you mean that we can reuse the DIRTY_MEMORY_MIGRATION dirty 
bits to stat the new dirty pages number and just define the global var 
to count the increased dirty pages during the calculation time?
or we still use the bitmap but defined as a global var, instead of dirty 
bits?




- introduce kvm_get_manual_dirty_log_protect function so that we can
   probe the protect caps of kvm when calculating.

- implement dirtyrate measurement with dirty bitmap with following step:
   1. start the dirty log.

   2. probe the protect cap, if KVM_DIRTY_LOG_INITIALLY_SET enable, skip
  skip the 1'R and do the reset page protection manually, since kvm
  file bitmap with 1 bits if this cap is enabled.

   3. clear the DIRTY_MEMORY_DIRTY_RATE dirty bits, prepare to store
  the dirty bitmap.

   4. start memory_global_dirty_log_sync and fetch dirty bitmap from kvm

   5. reap the DIRTY_MEMORY_DIRTY_RATE dirty bits and do the calculation.

this patchset rebases on the commit
"migration/dirtyrate: implement dirty-ring dirtyrate calculation",
since the above feature has not been merged, so we post this patch
for the sake of RFC. ideally, this patshset may be merged after it.


I gave it a shot with some setup dirty workload, it runs well so far and also I
do get accurate numbers (200MB/s measured as 201MB/s; 300MB/s measured as
301MB/s, and so on).  Looks good to me in general.

But as I mentioned above I feel like the changeset can be shrinked quite a bit
if we can drop the extra bitmap; maybe it means we can drop half of the whole
series.  But it's also possible I missed something, let's see.

It'll slightly differ from dirty ring in that same page written will always
only be counted once between two dirty map sync, but that's expected.  Dirty
ring "sync" more frequently (either ring full, or current 1-sec timeout in the
reaper), so it re-protects more frequently too.

I still have some other small comments, I'll go into the patches.

Thanks,



--
Best regard

Hyman Huang(黄勇)

Re: clang build error on i686

2021-07-11 Thread Richard Henderson 

On 7/3/21 10:45 AM, Peter Maydell wrote:

On Sat, 3 Jul 2021 at 15:37, Cole Robinson  wrote:


Hi, I'm hitting build errors with clang on i686 userspace on x86_64
kernel. Affects both qemu 6.0.0 and qemu.git, tested with fedora
clang-12.0.1~rc3-1.fc35.i686.

Full build log from the 6.0.0 build:
https://gist.githubusercontent.com/crobinso/7b1206044eac7326490b2adce829e861/raw/9dddef968051fd6383ba7adb9e595081ad4f8fa4/gistfile1.txt

Lots of errors like:

/usr/bin/ld: libqemu-aarch64-softmmu.fa.p/accel_tcg_cputlb.c.o: in
function `helper_atomic_cmpxchgq_le_mmu':
/builddir/build/BUILD/qemu-6.0.0/accel/tcg/atomic_template.h:86:
undefined reference to `__atomic_compare_exchange_8'
/usr/bin/ld: libqemu-aarch64-softmmu.fa.p/accel_tcg_cputlb.c.o: in
function `helper_atomic_xchgq_le_mmu':
/builddir/build/BUILD/qemu-6.0.0/accel/tcg/atomic_template.h:134:
undefined reference to `__atomic_exchange_8'

Also warnings like:

/builddir/build/BUILD/qemu-6.0.0/include/qemu/stats64.h:58:21: warning:
misaligned atomic operation may incur significant performance penalty;
the expected alignment (8 bytes) exceeds the actual alignment (4 bytes)
[-Watomic-alignment]
 uint64_t orig = qatomic_read__nocheck(>value);
 ^
/builddir/build/BUILD/qemu-6.0.0/include/qemu/atomic.h:129:5: note:
expanded from macro 'qatomic_read__nocheck'
 __atomic_load_n(ptr, __ATOMIC_RELAXED)


I think at least part of what is happening here is that this compiler/host
doesn't support native 64-bit atomics, but configure has selected
CONFIG_ATOMIC64 anyway.


Not true.  The host certainly supports it.

This is a new alignment warning in clang-12 wrt the alignment of the atomic operation. 
Which may be complicated by the fact that the i386 abi does not normally align structures 
beyond 4 bytes.


We may need to disable this warning for i386 (but not x86_64).


r~

Re: intermittent hang in qos-test for qemu-system-i386 on 32-bit arm host

2021-07-11 Thread Richard Henderson 

On 7/11/21 7:21 AM, Peter Maydell wrote:

On Sun, 11 Jul 2021 at 14:23, Richard Henderson
 wrote:

I believe that I had to perform the install under tcg because I couldn't find 
the right
magic to boot off the debian cdrom with kvm.


Weird, it ought not in theory to care...


Looking back at the install script I used, I had u-boot boot off the cdrom, and I'm 
booting the kernel directly for kvm.  I guess there's something about the specific u-boot 
image I had that didn't work with kvm.  It has been long enough that I don't recall any 
further details.



r~

  1   2   >